Win32/Delf.BFP [Threat Name] go to Threat

Win32/Delf.BFP [Threat Variant Name]

Category trojan
Size 386560 B
Detection created Apr 02, 2018
Detection database version 17156
Aliases Trojan:Win32/Tiggre!rfn (Microsoft)
  Trojan.PWS.Banker1.27264 (Dr.Web)
  TR/Spy.Banker.abfwz (Avira)
Short description

Win32/Delf.BFP serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­aero.exe

The trojan creates the following files:

  • %temp%\­log.txt
  • %temp%\­temp.bat

In order to be executed on every system start, the trojan modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft" = "%temp%\­aero.exe"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Delf.BFP is a trojan that steals sensitive information.


The trojan collects the following information:

  • user name
  • operating system version
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP, HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • open ports

The trojan may create the following files in the %temp% folder:

  • %variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.