Troj/Delf-ALI

Please read the instructions for removing Troj/Delf-ALI.

Troj/Delf-ALI is a worm and IRC backdoor Trojan for the Windows platform.

Troj/Delf-ALI spreads to other network computers by exploiting common buffer overflow vulnerabilities, including RPC-DCOM (MS04-012).

Troj/Delf-ALI runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Delf-ALI includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Delf-ALI is installed it creates the clean text file <System>\msguid32.dll.

The following registry entry is created to run Troj/Delf-ALI on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft IIS
<pathname of the worm executable>

Troj/Delf-ALI attempts to log details from banking applications related to the following sites:

www.halifax-online.co.uk
ibank.barclays.co.uk
online.lloydstsb.co.uk
online-business.lloydstsb.co.uk
www.ukpersonal.hsbc.co.uk
banesnet.banesto.es
extranet.banesto.es
ebanking.bccbrescia.it
www.bankofscotlandhalifax-online.co.uk
oi.cajamadrid.es
bancae.caixapenedes.com
banking.postbank.de
meine.deutsche-bank.de
myonlineaccounts2.abbeynational.co.uk
ibank.cahoot.com
webbank.openplan.co.uk
bancopostaonline.poste.it
mybank.bybank.it
ibank.internationalbanking.barclays.com
welcome7.co-operativebank.co.uk
welcome11.co-operativebankonline.co.uk

Troj/Delf-ALI modifies the HOSTS file in order to redirect access to the above sites.

Troj/Delf-ALI stores logged information to the following clean text files in the Windows system folder:

abbey.dll
bane.dll
bankofscot.dll
barc.dll
barc3.dll
bccbrescia.dll
bybank.dll
cahoot.dll
caixapenedes.dll
cajamadrid.dll
coo11.dll
coo7.dll
deutchebank.dll
halif.dll
hsbc.dll
lloy.dll
posta.dll
postbank.dll
wool.dll