Troj/Delf-CB

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\foffice = nm.exe

and delete it if it exists.

Close the registry editor.

Troj/Delf-CB is a password stealing Trojan which gathers passwords and confidential information and emails it to a remote location.

The information includes cached passwords, RAS dialup information, Microsoft Outlook settings and information relating to the following software (if installed): ICQ, Miranda, RQ, Becky, The Bat!, Trillian, Total Commander, Far and EDialer.

When first run the Trojan copies itself to the Windows System folder as nm.exe and creates the following registry entry, so that nm.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\foffice = nm.exe

The installation executable for Troj/Delf-CB creates two files with an extension of EXE in the Windows TEMP folder. One of the files is a copy of the Trojan executable and the other is a harmless program named WinZIP 9.0 Keygen.

Troj/Delf-CB terminates selected anti-virus and security related applications.