Win32/Daonol [Threat Name] go to Threat
Win32/Daonol.C [Threat Variant Name]
Available cleaner [Download Daonol Cleaner ]
|Detection created||May 21, 2009|
|Signature database version||4093|
Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The file is run-time compressed using UPX .
When executed, the trojan creates the following files:
"..\" denotes the folder one level higher in the file system tree. A string with variable content is used instead of %random1-2% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
- "aux2" = "%currentfolder%\..\%random1%.%random2%"
Win32/Daonol.C is a trojan that steals passwords and other sensitive information.
The following information is collected:
- FTP account information
The data is saved in the following file:
The trojan blocks access to any domains that contain any of the following strings in their name:
The trojan hooks the following Windows APIs:
- CreateProcessW [kernel32.dll]
- connect [ws2_32.dll]
- send [ws2_32.dll]
- WSARecv [ws2_32.dll]
- WSASend [ws2_32.dll]
- recv [ws2_32.dll]
The trojan terminates processes with any of the following strings in the name:
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
The trojan can redirect results of online search engines to web sites that contain adware.
The trojan can download and execute a file from the Internet.