Home / malware TrojanClicker:Win32/Delf.U
First posted on 10 March 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanClicker:Win32/Delf.U.
Explanation :
TrojanClicker:Win32/Delf.U is a trojan installed as a Browser Helper Object (BHO), which connects to an advertisement server.
Top
TrojanClicker:Win32/Delf.U is a trojan installed as a Browser Helper Object (BHO), which connects to an advertisement server.
Installation
TrojanClicker:Win32/Delf.U may arrive bundled with other programs such as "linkplus" or "popupguide".
It creates a folder in which it places a copy of itself; the folder may be any of the following:
- %ProgramFiles%\popupguide\
- %ProgramFiles%\mypoints\
- %ProgramFiles%\linkplus\
- %ProgramFiles%\barosearch\
Its copy is a DLL file with varying names. It is registered as a Browser Helper Object (BHO) that allows it to run every time Internet Explorer starts.
TrojanClicker:Win32/Delf.U also creates a registry subkey as part of its installation routine, for example:
- HKCU\SOFTWARE\popupguide
- HKCU\SOFTWARE\mypoints
- HKCU\SOFTWARE\linkplus
Payload
Generates visits for certain websites
TrojanClicker:Win32/Delf.U sends out an HTTP request for certain websites without the user's consent. It does this possibly to generate visits to these sites, which may rely on visitor numbers to generate revenue. Some of the servers it is known to generate requests for are:
- click.clickstory.co.kr/?vanilla=<removed>&turl=<removed>&aff_mid=<removed>
- www.ilikeclick.com/track/click.php?dts_code=<removed>&DTS_UID=&target_url=<removed>
Analysis by Mihai Calota
Last update 10 March 2012
