Troj/Delf-JJ is a browser-hijacking Trojan.
In order to run automatically when Windows starts up the Trojan copies itself to the following files:
- default.scr and highspeed-cable.exe in the current user's Start Menu/Programs/Startup folder
- cab.exe and spooler.exe in the top folder of the C: drive
- msupdate.exe in the Windows folder
- axe.exe, iProtect.exe, memorymanager.pif and security32.exe in the Windows system folder
Troj/Delf-JJ creates a DLL file named wallpaper32.dll in the Windows system folder. This file is also detected as Troj/Delf-JJ.
The Trojan adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Cab Manager
C:\cab.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Printer Spooler
C:\spooler.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Security Update
"%SystemRoot%\security32.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Memory Manager
"%SystemRoot%\memorymanager.pif"
HKLM\Software\Microsoft\Active Setup\Installed Components\
(77566C2A-2987-44BC-AC81-A02D19EE271B)
StubPath
C:\msupdate.exe
HKLM\Software\Microsoft\Active Setup\Installed Components
(C0DADD7E-D3F1-430D-B735-39DC6033592C)\
StubPath
"%SystemRoot%\msupdate.exe"
The Trojan installs itself as a service with the DisplayName "security" by creating several registry entries beneath HKLM\System\CurrentControlSet\Services\ASecurity32.
Troj/Delf-JJ installs the file wallpaper32.dll as a browser plugin, creating the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
(E07FAB0D-7456-48A7-A1E2-CE130D1E2E2A)
HKCR\CLSID\(E07FAB0D-7456-48A7-A1E2-CE130D1E2E2A)\InprocServer32
""
C:\Windows\system32\wallpaper32.dll
This browser plugin monitors browser activity and may redirect specific shopping-related URLs to another URL chosen by the author.
The Trojan disables access to the following domains by adding entries to the Windows HOSTS file that map them to the loopback address 127.0.0.1:
www.1-coupon.com
www.1-free-coupons.com
www.1-online-coupons.com
www.1st-in-mens-clothing.com
www.247coupon.com
www.247ukshopping.com
www.ahugedeal.com
www.asmartshop.com
www.best-cards.com
www.best-online-coupons.com
www.clothes-coupons.com
www.consumernow.com
www.coupon-codes.us
www.coupon-coupon.com
www.coupon-deals.com
www.coupon-monkey.com
www.couponcabin.com
www.couponclock.com
www.couponmountain.co.uk
www.couponmountain.com
www.coupons-coupon-codes.com
www.coupons-coupons-codes.com
www.couponsandoffers.com
www.deals-coupons.com
www.dealsdujour.com
www.discounts-coupons.com
www.ebates.com
www.eshops.co.uk
www.findsavings.com
www.flamingoworld.com
www.freecoupons.co.uk
www.galacticgalaxy.com
www.internet-bargains.com
www.jumpondeals.com
www.momsview.com
www.mygo.com
www.myjaco.com
www.online--coupon.com
www.online-coupons-coupons.com
www.online-coupons-discounts.com
www.pricezilla.com
www.quicktoclick.com
www.rather-be-shopping.com
www.redflagdeals.ca
www.redflagdeals.com
www.redtagdeals.com
www.savings-center.com
www.shop-uk-online.co.uk
www.shoppersresource.com
www.shopping.net
www.smartqpon.com
www.somucheasier.co.uk
www.specialoffers.com
www.thewinnersclub.net
www.uk-online-store.co.uk
www.ukfrenzy.co.uk
www.ukshops.co.uk
www.ultimatecoupons.com
www.voucherfreebies.co.uk
www.xpbargains.com
www.xpcoupons.com
www.yimeng.org