Win32/TrojanDownloader.Delf.PBD [Threat Name] go to Threat

Win32/TrojanDownloader.Delf.PBD [Threat Variant Name]

Category trojan
Size 436736 B
Aliases TrojanDownloader:Win32/Delf.HW (Microsoft)
  Generic.Downloader.x!blr (McAfee)
  Trojan.Downloader.Agent.AATE (BitDefender)
Short description

Win32/TrojanDownloader.Delf.PBD is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .


The trojan does not create any copies of itself.

Other information

The trojan creates the following folders:

  • %program files%\­plusbag\­

The trojan contains a list of (1) URLs. The trojan acquires data and commands from a remote computer or the Internet.

The data is saved in the following file:

  • %program files%\­plusbag\­tmp_down.ini

The trojan tries to download several files from the Internet.

These are stored in the following locations:

  • %program files%\­plusbag\­plusbag.exe
  • %program files%\­plusbag\­plusbag.dll

The files are then executed. The HTTP protocol is used.

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­App Management\­ARPCache\­plusbag]
    • "Changed" = %hex_value%
    • "SlowInfoCache" =  %hex_value%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­plusbag]
    • "DisplayName" = "windows plusbag"
    • "UninstallString" = "%program files%\­plusbag\­uninstall.exe"
  • [HKEY_CURRENT_USER\­Software\­plusbag]
    • "PartCode" = "part1"
    • "plus_recom_id" = "part1"

The trojan creates the following files:

  • %system%\­$$$$.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.