Win32/Delf.PGD [Threat Name] go to Threat

Win32/Delf.PGD [Threat Variant Name]

Category trojan
Size 152576 B
Detection created Apr 22, 2010
Detection database version 5050
Aliases Trojan.Win32.Delf.wnp (Kaspersky)
  Generic.dx!rwz (McAfee)
  Trojan.horse.Generic17.BERQ (AVG)
Short description

Win32/Delf.PGD is a trojan that steals passwords and other sensitive information. The trojan can be used for sending spam. The trojan can download and execute a file from the Internet.

Installation

When executed, the trojan creates the following folders:

  • %appdata%\­system\­
  • %appdata%\­system\­verona\­

The trojan copies itself to the following locations:

  • %appdata%\­system\­svchost.exe
  • %appdata%\­system\­verona\­load_me.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "wupd32" = "%appdata%\­system\­svchost.exe"

The trojan executes the following command:

  • net share shara=%appdata%\­system\­verona
Information stealing

Win32/Delf.PGD is a trojan that steals passwords and other sensitive information.


The trojan collects information related to the following applications:

  • Total Commander
  • Microsoft Outlook Express
  • The Bat!

The collected information is stored in the following file:

  • %temp%\­tmp

The trojan contains a list of (1) FTP addresses.


The trojan attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. It tries to download a file from the address. The HTTP protocol is used.


The file is stored into the following folder:

  • %temp%

The following filename is used:

  • tmp
  • %variable%

A string with variable content is used instead of %variable% .


The trojan can be used for sending spam.


The trojan can download and execute a file from the Internet.


The trojan may execute the following commands:

  • sc.exe delete AntiVirWebService
  • sc.exe delete AntiVirService

Please enable Javascript to ensure correct displaying of this content and refresh this page.