Home / malware TrojanDownloader:Win32/Dofoil.gen!B
First posted on 23 February 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Dofoil.gen!B is also known as TROJ_YAKES.JT (Trend Micro), Win32/TrojanDownloader.Zurgop.AI trojan (ESET), Trojan/Win32.Remex (AhnLab), Trojan.Yakes!xGALyJRIKUQ (VirusBuster), Trojan.Smoaler (Symantec), Trojan.Win32.Yakes.ogc (Kaspersky), DDoS.Win32.Dofoil (Ikarus), TR/Dldr.Dofoil.O.2 (Avira).
Explanation :
TrojanDownloader:Win32/Dofoil.gen!B is a trojan that may arrive as the attachment of spammed email messages. It connects to remote servers to download arbitrary files.
Top
TrojanDownloader:Win32/Dofoil.gen!B is a trojan that may arrive as the attachment of spammed email messages. It connects to remote servers to download arbitrary files.
Installation
Upon execution, TrojanDownloader:Win32/Dofoil.gen!B drops a copy of itself into the user's %AppData% folder as a file named smss.exe or csrss.exe. Note that legitimate files with the same name exist by default in the Windows system folder.
TrojanDownloader:Win32/Dofoil.gen!B may arrive as an attachment via spammed email messages. The following are some of the email campaigns we have observed distributing TrojanDownloader:Win32/Dofoil.gen!B:
Email claiming to contain an electronic ticket from American Airlines; the attachment may have any of the following file names:
- AA_Ticket.zip
- Delivery_information.zip
- Ticket.zip
- Ticket_AA4173.zip
Email claiming to contain a post label with tracking numbers for a package supposedly from the US Postal Service or DHL; the attachment may have any of the following file names:
- Post_Label_9182US.zip
- Post_Label_US2012.zip
Email claiming to be an Adobe CS4 license key; the attachment may have any of the following file name:
- License_Key_#5145.zip
Email claiming to contain a sexy photo; the attachment may have any of the following file name:
- sexy_photo1322209355.zip
Email claiming to be an invoice from FedEx; the attachment may have any of the following file name:
- FedEx_Invoice.zip
It modifies the following registry entry to ensure that it executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<variable>"
With data: "%AppData%\<malware file>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Microsoft"
With data: "%AppData%\smss.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Netscape"
With data: "%AppData%\csrss.exe"
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Dofoil.gen!B injects code into the "svchost.exe" process and attempts to connect to the HTTP port of a remote server. If a successful connection is established, it receives a response that contains encrypted configuration data, which may consist of URLs and execution options. One or more binaries are then downloaded and decrypted. The binaries are either executed directly after being written to disk in the %Temp% folder or they may be loaded and injected directly.
In the wild, TrojanDownloader:Win32/Dofoil.gen!B has been observed contacting one of the following remote servers:
Additional information
- agurinul12.ru
- alakunia9991.ru
- annemccaffrey2011.ru
- callbackme.com
- cannacross.ws
- centosbaserus.in
- centosbaserus.su
- deranosa789.ru
- ennriver.in
- labrador2011.ru
- loadsftp.ru
- ocean2372721.ru
- ryanbraun.ru
- show-time.org.ua
- south78483825.ru
- support.surgery4991.info
- thanksgiving2011.ru
- trustmeplz.com
- urbanmeyerohiostate.ru
- xaoz.net.ua
TrojanDownloader:Win32/Dofoil.gen!B may monitor web traffic via the following URLs:
- go.mail.ru/search
- nova.rambler.ru/search
- search.aol.com/aol/search
- search.yahoo.com/search
- www.google.com/search
- yandex.ru/yandsearch
Analysis by Gilou Tenebro
Last update 23 February 2012
