Home / malwarePDF  

Trojan.Danmec.B


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Danmec.B.

Explanation :

Once executed, the trojan shows an error message (see below) in order to make the user believe it didn't start, but actually it drops the files checkreg.exe, iisload.dll, wslXXXXX.dll in %WINSYS% directory, and installs an entry at the system startup, pointing to one of the dropped files (checkreg.exe).
The iisload.dll file is used to inject the wslXXXXX.dll file in EXPLORER.EXE process, so it is a memory resident trojan.
Then, the BAT file dropped in %TEMP% folder is executed in order to delete the original file.




<


The error message displayed when the trojan is executed.







The code injected in EXPLORER.EXE gathers the following information about the infected computer:


The operating system (version, build, service pack) The running processes The installed programs (those available in "Add/remove Programs" section in control Panel) The available network adapters (their status, incomming and outgoing bytes, speed and type: Ethernet, PPP, FDDI etc) The hard-drive's directory structure (searching drives from C: to Z: and building the entire structure for fixed drives)

This information is then encrypted and sent to a remote computer.

Last update 21 November 2011

 

TOP