| Aliases: | Trojan.Win32.Agent.chbm (Kaspersky), Infostealer.Daonol (Symantec), Generic.dx!ct (McAfee) |
| Type of infiltration: | Trojan |
| Size: | 17920 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4093 (20090521) |
|
You can download the removal tool
here .
Short description
Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
- ..\%currentfolder%\%random1%.%random2%
Note:
"..\" denotes the folder one level higher in the file system tree. A string with variable content is used instead of %random1-2% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Drivers32]
"aux2" = "%currentfolder%\..\%random1%.%random2%"
Information stealing
Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The following information is collected:
The data is saved in the following file:
Other information
The trojan blocks access to any domains that contain any of the following strings in their name:
- Adob
- AVG
- AVPU
- CAUp
- clamav
- COMO
- Enig
- ESS
- LIVE
- Live
- mbam
- mcafee
- McHT
- miekiemoes
- NOD3
- Nort
- Pand
- prevx
- SpyS
- SUPE
- TMUF
The trojan hooks the following Windows APIs:
- CreateProcessW [kernel32.dll]
- connect [ws2_32.dll]
- send [ws2_32.dll]
- WSARecv [ws2_32.dll]
- WSASend [ws2_32.dll]
- recv [ws2_32.dll]
The trojan terminates processes with any of the following strings in the name:
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
The trojan can redirect results of online search engines to web sites that contain adware.
The trojan can download and execute a file from the Internet.
