Win32/Danmec [Threat Name] go to Threat

Win32/Danmec.C [Threat Variant Name]

Category trojan
Size 92160 B
Detection created Aug 16, 2011
Detection database version 6382
Aliases Trojan.Win32.Jorik.Aspxor.au (Kaspersky)
  Trojan:Win32/Danmec.gen!A (Microsoft)
Short description

Win32/Danmec.C is a trojan that is used for spam distribution. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Microsoft\­Protect\­%variable1%.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe
  • svchost.exe

The trojan creates the following files:

  • %temp%\­s32.txt

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­Microsoft\­Protect\­%variable1%.exe"

If that fails, the following entries are set instead:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%appdata%\­Microsoft\­Protect\­%variable1%.exe"

After the installation is complete, the trojan deletes the original executable file.


A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects the following information:

  • login name
  • login password
  • FTP account information
  • e-mail addresses

Addresses containing the following strings are avoided:

  • .dll
  • .hlp
  • _upro_
  • 419report
  • aa419
  • abuse
  • accoun
  • admin
  • -announce
  • antivir
  • anyone
  • apache
  • apache.org
  • arachnoid
  • blackhole
  • blacklist
  • block
  • blocked
  • bsd
  • bugs
  • -bugs
  • ca.com
  • castlecops
  • catcert
  • caube
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cia.gov
  • cloudmark
  • cloudmark.com
  • confirm
  • -confirm
  • crime
  • debian
  • digsigtrust
  • dnsbl
  • dnsrbl
  • dydns
  • dynablock
  • ebay.com
  • egroups.com
  • e-trust
  • example
  • fbi.gov
  • fdic.gov
  • fraud
  • gold-certs
  • google
  • googlegroups
  • help
  • hostmaster
  • ht.ht
  • icrosoft
  • joewein
  • linux
  • listserv
  • mailwasher
  • malware
  • mcafee
  • messagelabs
  • moderators
  • mojordomo
  • mozilla
  • mydomai
  • nasa.gov
  • netcraft
  • newsvine
  • no_uce
  • nobody
  • nodomai
  • noone
  • noreply
  • nothing
  • outblaze
  • paulgraham.com
  • paypal
  • phish
  • police
  • postmaster
  • rating
  • reasonables
  • root
  • rx.t-online
  • samples
  • scam
  • scamdex
  • secur
  • service
  • soft
  • somebody
  • someone
  • sorbs
  • spam
  • submit
  • subscribe
  • support
  • symantec
  • thawte
  • the.bat
  • unix
  • uribl
  • velicert
  • verisign
  • virus
  • webmaster
  • webroot.com
  • yahoogroups

The data is saved in the following files:

  • %windir%\­f32.txt
  • %windir%\­g32.txt

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/Danmec.C is a trojan that is used for spam distribution.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The SMTP, HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send spam
  • send gathered information
  • monitor network traffic

The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • ns.uk3.net
  • www.yahoo.com
  • www.web.de

The trojan may create the following files:

  • %windir%\­ws386.ini
  • %windir%\­gs32.txt
  • %windir%\­fs32.txt
  • %temp%\­~ie%variable3%.exe

A string with variable content is used instead of %variable3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.