Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Delf.PBF

Aliases:Trojan.Win32.Agent.dhbq (Kaspersky), Trojan:Win32/Tachtoli.A (Microsoft), Generic.dx!nkr (McAfee) 
Type of infiltration:Trojan  
Size:168960 B 
Affected platforms:Microsoft Windows 
Signature database version:4877 (20100218) 

Short description

The trojan is designed to artificially generate traffic to certain Internet sites.

Installation

When executed the trojan copies itself in the following locations:
  • %localappdata%microsoftwindowswtnmm.exe
  • %startup%wtnmm.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "SHELL" = "explorer.exe, "%localappdata%microsoftwindowswtnmm.exe""

Other information

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
The trojan may create the following files:
  • %localappdata%MicrosoftWindowsthumbcac_888.db
  • %localappdata%MicrosoftWindows%variable%.exe
A string with variable content is used instead of %variable%.