Troj/Delf-LB is a browser hijacking Trojan for the Windows platform.
Troj/Delf-LB monitors a user's internet use and redirects the user to another site when it detects access to one of the following websites:
botw.org
cadburygiftsdirect.co.uk
commerce.motorola.com
shop0.o2online.de
shop1.o2online.de
shop2.o2online.de
shop3.o2online.de
shop4.o2online.de
shop5.o2online.de
shop6.o2online.de
shop7.o2online.de
shop8.o2online.de
shop9.o2online.de
store.templatemonster.com
www..es
www.123inkjets.com
www.1800contacts.com
www.1800mobiles.com
www.1800petmeds.com
www.4inkjets.com
www.abbonamentionline.com
www.abebooks.de
www.additionsdirect.co.uk
www.advancedmp3players.co.uk
www.alienware.co.uk
www.alienware.com
www.alienware.de
www.allposters.com
www.amazon.co.uk
www.amazon.com
www.amazon.de
www.amazon.fr
www.argos.co.uk
www.audible.com
www.bargainoutfitters.com
www.baur.de
www.blahdvd.com
www.blockbuster.com
www.bonprix.de
www.bonprixservice.de
www.burtonmenswear.co.uk
www.buy.com
www.cellphoneshop.net
www.chadwicks.com
www.chapters.ca
www.chapters.indigo.ca
www.cheaptickets.com
www.circuitcity.com
www.condomania.com
www.condomania.net
www.crucial.com
www.crucial.com/eu
www.crucial.com/uk
www.dell.com
www.dentalplans.com
www.discount24.de
www.dominos.co.uk
www.douglas.de
www.dress-for-less.de
www.dvdnetrent.com
www.ebay.be
www.ebay.ca
www.ebay.co.uk
www.ebay.com
www.ebay.com.au
www.ebay.it
www.ebay.nl
www.ebaymotors.co.uk
www.ebaystores.com
www.ecost.com
www.eddiebauer.com
www.eddiebaueroutlet.com
www.esprit-online-shop.com
www.esprit.de
www.expedia.co.uk
www.expedia.de
www.expedia.de
www.firebox.com
www.flyted.com
www.fossil.com
www.fotopoint.de
www.fredericks.com
www.goodguys.com
www.harryanddavid.com
www.hotelchocolat.com
www.hotelopia.co.uk
www.hse24.de
www.ingdirect.com
www.inkfactory.com
www.ita-bol.com
www.jamba.de
www.jamba.it
www.joann.com
www.kodakgallery.com
www.landsend.com
www.lanebryantcatalog.com
www.lastminutetour.com
www.lbcatalog.com
www.lenscare.de
www.lensspirit.de
www.lernercatalog.com
www.limogesjewelry.com
www.lnt.com
www.marshallward.co.uk
www.mexx.com
www.miadieta.it
www.misterprice.it
www.mothercare.com
www.mytemplatestorage.com
www.napster.com
www.nextel.com
www.nokia-online-shop.de
www.o2online.de
www.officemax.com
www.ofoto.com
www.oliviero.it
www.opodo.de
www.oshkoshbgosh.com
www.overstock.com
www.pacsun.com
www.petsmart.com
www.photocity.it
www.pixmania.com
www.pixmania.com/de
www.pixmania.com/dev/gui_web/shopping/index.php?oldlangue=it
www.posterxxl.com
www.powells.com
www.powels.com
www.quelle.de
www.quickenloans.com
www.qvc.de
www.redenvelope.com
www.roamans.com
www.robeez.com
www.scrapbook.com
www.scraptutor.com
www.shop.com
www.spilsbury.com
www.sportsmansguide.com
www.templatemonster.com
www.thinkgeek.com
www.towerrecords.com
www.ubid.com
www.united.com
www.verizonwireless.com
www.visiondirect.com
www.vistaprint.com
www.visualdream.it
www.x10.com
www.yoox.co.uk
www.yoox.com
www.yourlenses-deutschland.com
www.yourlenses.com
www.yves-rocher.de
www0.flybe.com
www0.westfalia.de
www1.ap.dell.com/default.aspx?c=au
www1.flybe.com
www1.westfalia.de
www11.cd-wow.com
www2.flybe.com
www2.westfalia.de
www3.flybe.com
www3.westfalia.de
www4.flybe.com
www4.westfalia.de
www5.flybe.com
www5.westfalia.de
www6.flybe.com
www6.westfalia.de
www7.flybe.com
www7.westfalia.de
www8.flybe.com
www8.westfalia.de
www9.flybe.com
www9.westfalia.de
When first run Troj/Delf-LB copies itself to the following files :
<Windows>\commop.exe
<System>\battlenet.exe
<System>\commonaccess.exe
<System>\memswapmanger.pif
<System>\msfirewall.exe
<System>\opsys.exe
<User's startup folder>\DirectX.exe
<User's startup folder>\screensaver.scr
The Trojan then creates the following registry entries so that some of the copies are run when a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Critical Update Check
%Windir%\battlenet.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
network device driver
<System>\msfirewall.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
printer spooler
<System>\commonaccess.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
keyboard driver
<System>\memswapmanager.pif
The Trojan also creates registry entries under the following:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A7F00FB-233C-4B12-BD06-929B54CAC93B}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{37659504-E316-48E5-9D08-B1889E24DC4F}
Troj/Delf-LB drops a file named firewall.dll in the Windows system folder and registers it as a Browser Helper Object, setting the following registry entries:
HKCR\CLSID\{EE5C363D-7627-4F21-98AE-4CBCC1DBD650}\InprocServer32
(default)
<System>\firewall.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\Objects\{EE5C363D-7627-4F21-98AE-4CBCC1DBD650}
Troj/Delf-LB adds the following lines to the Windows HOSTS file in an attempt to block access to these sites :
127.0.0.1 www.techbargains.com
127.0.0.1 www.bestonlinecoupons.com
127.0.0.1 www.dailyedeals.com
127.0.0.1 www.edealinfo.com
127.0.0.1 www.xpcoupons.com
127.0.0.1 www.dealsdujour.com
127.0.0.1 www.savings-center.com
127.0.0.1 www.couponmountain.com
127.0.0.1 www.dealcatcher.com
127.0.0.1 www.alexscoupons.com
127.0.0.1 www.fabuloussavings.com
127.0.0.1 www.savings-center.com
127.0.0.1 www.couponcraze.com
127.0.0.1 www.flamingoworld.com
127.0.0.1 www.mygo.com
127.0.0.1 www.goodbazaar.com
127.0.0.1 www.mygo.com
127.0.0.1 www.myjaco.com
127.0.0.1 www.specialoffers.com
127.0.0.1 www.redflagdeals.com
127.0.0.1 www.redflagdeals.ca
127.0.0.1 www.couponclock.com
127.0.0.1 www.1-online-coupons.com
127.0.0.1 www.smartqpon.com
127.0.0.1 www.jumpondeals.com
127.0.0.1 www.1-coupon.com
127.0.0.1 www.ahugedeal.com
127.0.0.1 www.1st-in-mens-clothing.com
127.0.0.1 www.discounts-coupons.com
127.0.0.1 www.allonlinecoupons.com
127.0.0.1 www.1-free-coupons.com
127.0.0.1 www.coupon-coupon.com
127.0.0.1 www.online-coupons-discounts.com
127.0.0.1 www.ebates.com
127.0.0.1 www.247coupon.com
127.0.0.1 www.couponmountain.com
127.0.0.1 www.coupon-deals.com
127.0.0.1 www.coupon-codes.us
127.0.0.1 www.coupons-coupon-codes.com
127.0.0.1 www.coupons-coupons-codes.com
127.0.0.1 www.ahugedeal.com
127.0.0.1 www.findsavings.com
127.0.0.1 www.xpbargains.com
127.0.0.1 www.best-cards.com
127.0.0.1 www.voucherfreebies.co.uk
127.0.0.1 www.ukshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.somucheasier.co.uk
127.0.0.1 www.uk-online-store.co.uk
127.0.0.1 www.deals-coupons.com
127.0.0.1 www.shopping.net
127.0.0.1 www.eshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.ukfrenzy.co.uk
127.0.0.1 www.asmartshop.com
127.0.0.1 www.couponmountain.co.uk
127.0.0.1 www.redtagdeals.com
127.0.0.1 www.freecoupons.co.uk
127.0.0.1 www.shop-uk-online.co.uk
127.0.0.1 www.best-online-coupons.com
127.0.0.1 www.rather-be-shopping.com
127.0.0.1 www.clothes-coupons.com
127.0.0.1 www.online-coupons-coupons.com
127.0.0.1 www.momsview.com
127.0.0.1 www.pricezilla.com
127.0.0.1 www.mygo.com
127.0.0.1 www.ultimatecoupons.com
127.0.0.1 www.galacticgalaxy.com
127.0.0.1 www.thewinnersclub.net
127.0.0.1 www.couponcabin.com
127.0.0.1 www.dealsdujour.com
127.0.0.1 www.yimeng.org
127.0.0.1 www.coupon-monkey.com
127.0.0.1 www.internet-bargains.com
127.0.0.1 www.consumernow.com
127.0.0.1 www.online--coupon.com
127.0.0.1 www.savings-center.com
127.0.0.1 www.quicktoclick.com
127.0.0.1 www.adbutler.de
127.0.0.1 www.couponsandoffers.com