RSS
Home
Old Trojan back again; Infostealer.Danol
Print
Email
RSS
Subscribe
Infostealer.Daonol is a Trojan horse that redirects network traffic and attempts to steal FTP account information from the compromised computer.
It hasn't been that active, but has attemtped a comeback which can slow network traffic and compromise your data during FTP Transmission
On their site, AVG Technologies explains this as
When executed, the Trojan copies itself as the following file:
%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS]
Note: [PARENT FOLDER] denotes the folder one level higher in the file system tree. For example, if the original threat executable is %SystemDrive%\Documents and Settings\Administrator\[ORIGINAL FILE NAME].exe it will copy itself to %SystemDrive%\Documents and Settings\[8 RANDOM CHARACTERS].[3 CHARACTERS].
Note: [3 CHARACTERS] denotes one of the following strings:
- bak
- dat
- old
- tmp
It then modifies one of the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"aux" = "%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"midi9" = "%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS] [RANDOM CHARACTERS]"
It then hooks the following Windows API to inject itself in to all newly created processes:
kernel32!CreateProcessW
It also prevents processes containing the following strings from executing:
- .com
- .bat
- .reg
- cmd
- reged
The Trojan will attempt to delete itself if processes containing the following strings are executed:
- gmer
- le38
Next, the Trojan hooks the following %System%\ws2_32.dll Windows APIs to allow it to monitor network traffic:
- recv
- send
- connect
- WSARecv
- WSASend
The Trojan redirects search engine network traffic to Web sites that may contain adware.
It blocks access to Web sites containing the following strings:
- clamav
- mbam
- mcafee
- miekiemoes
- prevx
It also blocks access to sites whose domains start with the following strings:
- Adob
- AVG
- AVPU
- CAUp
- COMO
- Enig
- ESS
- LIVE
- Live
- McHT
- NOD3
- Nort
- Pand
- SpyS
- SUPE
- Sy
- TMUF
The Trojan will attempt to delete itself if a URL that contains the following string is accessed:
DaonolFix
The Trojan monitors network traffic and steals FTP account information, which it saves to the following file:
%System%\sqlsodbc.chm
Note: The original %System%\sqlsodbc.chm file is overwritten.
The Trojan may also attempt to download files on to the compromised computer.
Related Articles:
Add a Comment
- You have Yahoo, Paltalk and Skype up at the same time
- If your internet connection is down you call your shrink
- You are on your laptop surfing, watching the nintendo internet channel surfing
- You ask your date if she skypes on the first date
- You ask your date if she webcams on the first date
- You break up with someone who wont chat with you online.
- You work or shop in your underwear.
- You surf before you eat
- You have 5 blogs, 5 passwords and cant remember them
- You ask a girl for her sine
