Win32/Delf.BFP [Threat Name] go to Threat
Win32/Delf.BFP [Threat Variant Name]
| Category | trojan |
| Size | 386560 B |
| Aliases | Trojan:Win32/Tiggre!rfn (Microsoft) |
| Trojan.PWS.Banker1.27264 (Dr.Web) | |
| TR/Spy.Banker.abfwz (Avira) |
Short description
Win32/Delf.BFP serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %temp%\aero.exe
The trojan creates the following files:
- %temp%\log.txt
- %temp%\temp.bat
In order to be executed on every system start, the trojan modifies the following Registry key:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft" = "%temp%\aero.exe"
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/Delf.BFP is a trojan that steals sensitive information.
The trojan collects the following information:
- user name
- operating system version
- volume serial number
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP, HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- perform DoS/DDoS attacks
- open ports
The trojan may create the following files in the %temp% folder:
- %variable%
A string with variable content is used instead of %variable% .