Home / malware Trojan:Win32/Daonol.H
First posted on 14 December 2009.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Daonol.H.
Explanation :
Trojan:Win32/Daonol.H is a member of Win32/Daonol - a family of trojans capable of monitoring network traffic, stealing FTP credentials, preventing access to security Web sites, disabling access to system programs, and redirecting Web searches to sites hosting other malware.
Top
Trojan:Win32/Daonol.H is a member of Win32/Daonol - a family of trojans capable of monitoring network traffic, stealing FTP credentials, preventing access to security Web sites, disabling access to system programs, and redirecting Web searches to sites hosting other malware. InstallationUpon execution, Win32/Daonol drops its DLL file component with a random file name one level up from the current folder. For example, it may drop the file tpqnh.hmq in the default Windows folder if the current folder is the Windows system folder. It then modifies the system registry so that its dropped file is registered as a Windows NT dynamic-link library for applications, for example: Adds value: "<variable value>" for example "aux", "aux4", "midi9", and so on
With data: (for example)"<current folder>\..\tpqnh.hmq"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 where <current folder> is the folder where this trojan is currently running. Note that by default the value "aux" may already exist in the affected machine's registry. This registry modification by the trojan replaces the system setting. This registry modification causes Daonol's DLL to be loaded into a process only when an application plays a sound. Once loaded in memory, Daonol allocates some space in the process, copies its code there, installs system hooks (mentioned below), and then unloads itself so it will not appear as a loaded module.
Daonol may hook functions in NTDLL (ZwOpenKey specifically) in order to protect these registry modifications and prevent them from being removed. Payload Steals FTP credentialsWin32/Daonol may steal FTP credentials such as FTP server names, user names, and passwords, by hooking WS2_32.dll functions, such as the following, to monitor or modify Internet traffic: recv
send
connect
WSARecv
WSASend It then stores the stolen information into a file it creates in the Windows system folder named sqlsodbc.chm. Note that if Windows is installed, a file named sqlsodbc.chm exists by default in the same folder; therefore the presence of this trojan causes the legitimate sqlsodbc.chm file to be overwritten. The stolen information is then sent to remote servers, such as the following: 195.24.76.250
67.215.237.98
67.215.246.34
94.229.65.172 Prevents access to certain Web sitesWin32/Daonol may prevent access to Web sites containing the following strings in its URL: Adob
DaonolFix
bleepingcomputer
clamav
mbam
mcafee
miekiemoes
prevx Disables access to system programsWin32/Daonol may also disable access via explorer.exe to applications with the following strings: reged (such as the Registry Editor)
cmd
.bat (any batch file)
.reg (any registry file) It does this by hooking some functions in kernel32.dll, such as "CreateProcessW". Redirects Web searchesWin32/Daonol redirects search results from certain sites, such as those containing the following strings, to sites hosting other malware: msn
live
yahooAdditional InformationBeyond the Payloads mentioned above, a Win32/Daonol infection may have additional, unintended and unwanted effects on an affected machine. Some variants of Win32/Daonol contain bugs that result in substantial system instability. These buggy variants often cause affected systems to hang at shutdown and startup. These effects are most commonly seen on Windows XP systems. There are no symptoms of system infection until the affected user attempts to reboot their machine.
Analysis by Jireh Sanico and Aaron PutnamLast update 14 December 2009