Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Delf.PGD

Aliases:Trojan.Win32.Delf.wnp (Kaspersky), Generic.dx!rwz (McAfee), Trojan horse Generic17.BERQ (AVG) 
Type of infiltration:Trojan  
Size:152576 B 
Affected platforms:Microsoft Windows 
Signature database version:5050 (20100422) 

Short description

Win32/Delf.PGD is a trojan that steals passwords and other sensitive information. The trojan can be used for sending spam. The trojan can download and execute a file from the Internet.

Installation

When executed, the trojan creates the following folders:
  • %appdata%system
  • %appdata%systemverona
The trojan copies itself to the following locations:
  • %appdata%systemsvchost.exe
  • %appdata%systemveronaload_me.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "wupd32" = "%appdata%systemsvchost.exe"
The trojan executes the following command:
  • net share shara=%appdata%systemverona

Information stealing

Win32/Delf.PGD is a trojan that steals passwords and other sensitive information.

The trojan collects information related to the following applications:
  • Total Commander
  • Microsoft Outlook Express
  • The Bat!
The collected information is stored in the following file:
  • %temp%tmp
The trojan contains a list of (1) FTP addresses.

The trojan attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. It tries to download a file from the address. The HTTP protocol is used.

The file is stored into the following folder:
  • %temp%
The following filename is used:
  • tmp
  • %variable%
A string with variable content is used instead of %variable%.

The trojan can be used for sending spam.

The trojan can download and execute a file from the Internet.

The trojan may execute the following commands:
  • sc.exe delete AntiVirWebService
  • sc.exe delete AntiVirService