W32/Daonol

Threat risk

Threat risk low


Detection files published: May 14, 2009	Description created: 2010-04-16	Description updated: 2010-04-16

Malware type: Trojan	Alias: Trojan-PSW.Win32.Kates (Kaspersky), Lando (McAfee), Hacktool.Rootkit (Symantec), Trojan Dropper: Win32/Daonol (Microsoft), Troj/Daonol-Fam (Sophos)	Spreading mechanism Email, IRC, Webpage

Payload: Steal information

Summary
Spreading description
Sandbox analysis
Removal

Summary

Daonol is a family of trojans capable of monitoring network traffic, stealing FTP credentials, preventing access to security web sites, disabling access to system programs, and redirecting web searches to sites hosting other malware. A few previous versions of the malware have a PHP script that checks the version of Adobe Reader and Adobe Flash in the vulnerable host. If it is found out of date, the trojan hijacks the PC using known vulnerabilities. If both of those programs are up to date, the script tests to see if the system is vulnerable to several bugs Microsoft has patched in the last few months. Hijacked machines will be installed with a backdoor that might give the hijackers complete control.

Spreading description

After execution the malware drops a DLL into the %User Profile% folder with a random name. A registry key is created, which maps the Windows’ dynamic-link library previously dropped. Any application that calls a sound device would load this DLL. The injected DLL, if loaded into applications such as regedit or notepad.exe, will prevent them from showing a GUI. There are instances of other versions where the trojan injects a thread into Internet Explorer that can spawn outbound TCP connections by hard coded IP addresses to download a supportive trojan.

Sandbox analysis

[ DetectionInfo ]
    * Filename: C:\Documents and Settings\135d.bin.
    * Sandbox name: .
    * Signature name: NOT_SCANNED.
    * Compressed: YES.
    * TLS hooks: YES.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

[ General information ]
* File length: 70125 bytes.
* MD5 hash: 135d255bad9b07d340354a0af46851d1.

[ Changes to filesystem ]
    * Creates file C:\4.pr.
    * Deletes file c:\sample.exe.
    * Creates file C:\p3.bat.
    * Deletes file "c:\4.pr".
    * Deletes file "c:\p3.bat".
or
    * %User Profile%\xrsgmrm.old

[ Changes to registry ]
* Accesses Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32".
Or
* HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
          o midi9 = "%User Profile%\Desktop\..\xrsgmrm.old 0yAAAAAAAA"
or
   * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
          o LoadAppInit_DLLs = 0x00000001
    * HKLM\System\ControlSet001\Control\Session Manager
          o PendingFileRenameOperations = Path To Original dropped file
    * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
          o AppInit_DLLs = ""

[ Process/window information ]
• Creates process "CMD.EXE".

Removal

Norman’s antivirus products are in general able to remove all malicious software that is detected.

Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below if your Norman antivirus is unable to clean the infection:
http://www.norman.com/support/support_tools/58732/en

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage	Title	Comment
	Stopping network share infectors
	Cleaning of back-up folders on Windows Me and XP

Print page