Home / malwarePDF  

TrojanDownloader:Win32/Dofoil.gen!C


First posted on 25 February 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Dofoil.gen!C is also known as Win32/TrojanDownloader.Zurgop.AK trojan (ESET), Trojan.Win32.Yakes.kws (Kaspersky), Trojan.Smoaler!gen1 (Symantec).

Explanation :

TrojanDownloader:Win32/Dofoil.gen!C is a trojan downloader component of the Win32/Dofoil family that connects to a remote site to download and execute arbitrary files.


Top

TrojanDownloader:Win32/Dofoil.gen!C is a trojan downloader component of the Win32/Dofoil family that connects to a remote site to download and execute arbitrary files.



Installation

TrojanDownloader:Win32/Dofoil.gen!C may arrive as a ZIP attachment to spammed email messages. The email falsely claims to be regarding an airline ticket from American Airlines, or a package delivered via FedEx, UPS, or DHL. The attachment may have a file name similar to any of the following:

  • Post_Label.exe
  • FedEx_Invoice.exe
  • AA_Ticket.exe
  • Gift_Card.exe


Upon execution, TrojanDownloader:Win32/Dofoil.gen!C may copy itself into the %AppData% folder using the same file name as a legitimate Windows file, for example:

  • %AppData%\smss.exe
  • %AppData%\csrss.exe


Note that legitimate Windows files also named "smss.exe" and "csrss.exe" exist by default in the Windows system folder.

TrojanDownloader:Win32/Dofoil.gen!C may modify the system registry to ensure that its copy executes at every Windows start, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Classes" or "Microsoft" or "ODBC" or "Netscape"
With data: "%AppData%\smss.exe" or "%AppData%\csrss.exe"



Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Dofoil.gen!C injects code into the "svchost.exe" system process and attempts to connect to a remote server. Once connected, the server sends encrypted configuration data as a response. The data contains the URLs and execution parameters for the downloaded files.

The downloaded files may be executed immediately after being written to disk in the %Temp% folder, or they may be loaded and injected directly into certain processes.

In the wild, TrojanDownloader:Win32/Dofoil.gen!C has been observed to contact one of the following remote servers:

  • arsenalmaga.ru
  • astroz.in
  • callbackme.com
  • centosbaserus.su
  • deranosa789.ru
  • drozd.bz.cm
  • errousiz.tk
  • eurorack.ru
  • hant.in
  • karabasbarabas.eu
  • kkosokoko.ru
  • myopt.jino.ru
  • proftp.ws
  • rutoter.ru
  • support.surgery4991.info
  • thanksgiving2011.ru
  • trustmeplz.com
  • urbanmeyerohiostate.ru
  • wowexpert.ws
  • xaoz.net.ua




Analysis by Rex Plantado

Last update 25 February 2012

 

TOP

Malware :

Family: