Win32/Delf.PBF [Threat Name] go to Threat

Win32/Delf.PBF [Threat Variant Name]

Category trojan
Size 168960 B
Detection created Feb 18, 2010
Detection database version 4877
Aliases Trojan.Win32.Agent.dhbq (Kaspersky)
  Trojan:Win32/Tachtoli.A (Microsoft)
  Generic.dx!nkr (McAfee)
Short description

The trojan is designed to artificially generate traffic to certain Internet sites.


When executed the trojan copies itself in the following locations:

  • %localappdata%\­microsoft\­windows\­wtnmm.exe
  • %startup%\­wtnmm.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "SHELL" = "explorer.exe, "%localappdata%\­microsoft\­windows\­wtnmm.exe""
Other information

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan may create the following files:

  • %localappdata%\­Microsoft\­Windows\­thumbcac_888.db
  • %localappdata%\­Microsoft\­Windows\­%variable%.exe

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.