Win32/Daonol [Threat Name] go to Threat
Win32/Daonol.C [Threat Variant Name]
Available cleaner [Download Daonol Cleaner ]
| Category | trojan |
| Size | 17920 B |
| Aliases | Trojan.Win32.Agent.chbm (Kaspersky) |
| Infostealer.Daonol (Symantec) | |
| Generic.dx!ct (McAfee) |
Short description
Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
- ..\%currentfolder%\%random1%.%random2%
Note:
"..\" denotes the folder one level higher in the file system tree. A string with variable content is used instead of %random1-2% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
- "aux2" = "%currentfolder%\..\%random1%.%random2%"
Information stealing
Win32/Daonol.C is a trojan that steals passwords and other sensitive information.
The following information is collected:
- FTP account information
The data is saved in the following file:
- %system%\sqlsodbc.chm
Other information
The trojan blocks access to any domains that contain any of the following strings in their name:
- Adob
- AVG
- AVPU
- CAUp
- clamav
- COMO
- Enig
- ESS
- LIVE
- Live
- mbam
- mcafee
- McHT
- miekiemoes
- NOD3
- Nort
- Pand
- prevx
- SpyS
- SUPE
- TMUF
The trojan hooks the following Windows APIs:
- CreateProcessW [kernel32.dll]
- connect [ws2_32.dll]
- send [ws2_32.dll]
- WSARecv [ws2_32.dll]
- WSASend [ws2_32.dll]
- recv [ws2_32.dll]
The trojan terminates processes with any of the following strings in the name:
- .bat
- .reg
- reged
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- gmer
- le38
The trojan can redirect results of online search engines to web sites that contain adware.
The trojan can download and execute a file from the Internet.