Win32/Daonol [Threat Name] go to Threat

Win32/Daonol.C [Threat Variant Name]

Available cleaner [Download Daonol Cleaner ]

Category trojan
Size 17920 B
Detection created May 21, 2009
Signature database version 4093
Aliases Trojan.Win32.Agent.chbm (Kaspersky)
  Infostealer.Daonol (Symantec)
  Generic.dx!ct (McAfee)
Short description

Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • ..\­%currentfolder%\­%random1%.%random2%

Note:


"..\" denotes the folder one level higher in the file system tree. A string with variable content is used instead of %random1-2% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Drivers32]
    • "aux2" = "%currentfolder%\­..\­%random1%.%random2%"
Information stealing

Win32/Daonol.C is a trojan that steals passwords and other sensitive information.


The following information is collected:

  • FTP account information

The data is saved in the following file:

  • %system%\­sqlsodbc.chm
Other information

The trojan blocks access to any domains that contain any of the following strings in their name:

  • Adob
  • AVG
  • AVPU
  • CAUp
  • clamav
  • COMO
  • Enig
  • ESS
  • LIVE
  • Live
  • mbam
  • mcafee
  • McHT
  • miekiemoes
  • NOD3
  • Nort
  • Pand
  • prevx
  • SpyS
  • SUPE
  • TMUF

The trojan hooks the following Windows APIs:

  • CreateProcessW [kernel32.dll]
  • connect [ws2_32.dll]
  • send [ws2_32.dll]
  • WSARecv [ws2_32.dll]
  • WSASend [ws2_32.dll]
  • recv [ws2_32.dll]

The trojan terminates processes with any of the following strings in the name:

  • .bat
  • .reg
  • reged

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • gmer
  • le38

The trojan can redirect results of online search engines to web sites that contain adware.


The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.