Home / malware Trojan.Deltatoolbar
First posted on 11 October 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Deltatoolbar.
Explanation :
The Trojan arrives through software bundles and silently installs itself on the computer.
When the Trojan is executed, it creates the following files: %SystemDrive%\Documents and Settings\All Users\Application Data\Delta%SystemDrive%\Documents and Settings\All Users\Application Data\Delta\sqlite3.dll%ProgramFiles%\Delta%ProgramFiles%\Delta\delta%ProgramFiles%\Delta\delta\1.8.24.5%ProgramFiles%\Delta\delta\1.8.24.5\bh%ProgramFiles%\Delta\delta\1.8.24.5\bh\delta.dll%ProgramFiles%\Delta\delta\1.8.24.5\deltaApp.dll%ProgramFiles%\Delta\delta\1.8.24.5\deltaEng.dll%ProgramFiles%\Delta\delta\1.8.24.5\deltasrv.exe%ProgramFiles%\Delta\delta\1.8.24.5\deltaTlbr.dll%ProgramFiles%\Delta\delta\1.8.24.5\uninstall.exe%ProgramFiles%\Mozilla Firefox%ProgramFiles%\Mozilla Firefox\extensions%ProgramFiles%\Mozilla Firefox\searchplugins
Next, the Trojan creates the following registry entries: HKEY_CLASSES_ROOT\AppID\escort.DLL\"AppID" = "{09C554C3-109B-483C-A06B-F14172F1A947}"HKEY_CLASSES_ROOT\AppID\escortApp.DLL\"AppID" = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"HKEY_CLASSES_ROOT\AppID\escortEng.DLL\"AppID" = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"HKEY_CLASSES_ROOT\AppID\escorTlbr.DLL\"AppID" = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"HKEY_CLASSES_ROOT\AppID\esrv.EXE\"AppID" = "{39CB8175-E224-4446-8746-00566302DF8D}"HKEY_CLASSES_ROOT\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\"default" = "escort"HKEY_CLASSES_ROOT\AppID\{39CB8175-E224-4446-8746-00566302DF8D}\"default" = "esrv"HKEY_CLASSES_ROOT\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\"default" = "escorTlbr"HKEY_CLASSES_ROOT\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\"default" = "escortEng"HKEY_CLASSES_ROOT\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\"default" = "escortApp"HKEY_CURRENT_USER\Software\Delta\delta\"cmndLn" = ""HKEY_CURRENT_USER\Software\Delta\delta\"lastB" = "about:blank"HKEY_CURRENT_USER\Software\Delta\delta\"tlbrSrchUrl" = ""HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL\"AppID" = "{09C554C3-109B-483C-A06B-F14172F1A947}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL\"AppID" = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\"AppID" = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL\"AppID" = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\"AppID" = "{39CB8175-E224-4446-8746-00566302DF8D}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\"default" = "escort"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}\"default" = "esrv"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\"default" = "escorTlbr"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\"default" = "escortEng"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\"default" = "escortApp"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\d\"default" = "escrtAx Object"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\d\CLSID\"default" = "{86838207-681D-469D-9511-D0DCC6F19F9B}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\d\CurVer\"default" = "d"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}\"AppName" = "deltasrv.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}\"AppPath" = "C:\Program Files\Delta\delta\1.8.24.5"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}\"Policy" = "dword:00000003"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{82E1477C-B154-48D3-9891-33D83C26BCD3}" = "Delta Toolbar"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}\"default" = "delta Helper Object"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}\"NoExplorer" = "1"HKEY_CLASSES_ROOT\d\"default" = "escrtAx Object"HKEY_CLASSES_ROOT\d\CLSID\"default" = "{86838207-681D-469D-9511-D0DCC6F19F9B}"HKEY_CLASSES_ROOT\d\CurVer\"default" = "d"
The Trojan then creates the following registry subkeys: HKEY_CLASSES_ROOT\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}HKEY_CLASSES_ROOT\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}HKEY_CLASSES_ROOT\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}HKEY_CLASSES_ROOT\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}HKEY_CLASSES_ROOT\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}HKEY_CLASSES_ROOT\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}HKEY_CLASSES_ROOT\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}HKEY_CLASSES_ROOT\delta.deltaappCore.1HKEY_CLASSES_ROOT\delta.deltaappCoreHKEY_CLASSES_ROOT\delta.deltaappCoreHKEY_CLASSES_ROOT\delta.deltadskBnd.1HKEY_CLASSES_ROOT\delta.deltadskBndHKEY_CLASSES_ROOT\delta.deltaHlpr.1HKEY_CLASSES_ROOT\delta.deltaHlprHKEY_CLASSES_ROOT\escort.escortIEPane.1HKEY_CLASSES_ROOT\escort.escortIEPaneHKEY_CLASSES_ROOT\esrv.deltaESrvc.1HKEY_CLASSES_ROOT\esrv.deltaESrvcHKEY_CLASSES_ROOT\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}HKEY_CLASSES_ROOT\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}HKEY_CLASSES_ROOT\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}HKEY_CLASSES_ROOT\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{261DD098-8A3E-43D4-87AA-63324FA897D8}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FCB4630-2A1C-4AA1-B422-345E8DC8A6DE}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82E1477C-B154-48D3-9891-33D83C26BCD3}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86838207-681D-469D-9511-D0DCC6F19F9B}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1AF5FA5-852C-4C90-812E-A7F75E011D87}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E97A663B-81A6-49C5-A6D3-BCB05BA1DE26}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaappCore.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaappCoreHKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltadskBnd.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltadskBndHKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaHlpr.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\delta.deltaHlprHKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPaneHKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.deltaESrvc.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.deltaESrvcHKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{39CB8175-E224-4446-8746-00566302DF8D}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}HKEY_LOCAL_MACHINE\SOFTWARE\Delta\deltaHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\deltaHKEY_USERS\S-1-5-21-1316737702-3227248519-3113389456-500\Software\Delta\delta
The Trojan may then perform the following actions: Change the Web browser's home page to www.delta-search.comInstall the Delta toolbar plugin on Web browsersDisplay ads on the home page and search results pageLast update 11 October 2014
