Home / malwarePDF  

DDoS:Win32/Dofoil.A


First posted on 05 January 2012.
Source: Microsoft

Aliases :

There are no other names known for DDoS:Win32/Dofoil.A.

Explanation :

DDoS:Win32/Dofoil.A is a trojan that connects to a remote website to download and execute arbitrary files. It may also receive instructions from the remote server to perform distributed denial-of-service (DDoS) attacks against certain websites.


Top

DDoS:Win32/Dofoil.A is a trojan that connects to a remote website to download and execute arbitrary files. It may also receive instructions from the remote server to perform distributed denial-of-service (DDoS) attacks against certain websites.



Installation

DDoS:Win32/Dofoil.A may arrive as an attachment in spammed email messages. It may arrive with attachment file names similar to the following:

  • Package_information_UK42720.zip (containing the main executable as Package_information.exe)
  • Correo_Etiqueta.zip (containing the main executable as Correo_Etiqueta.exe)
  • Gift_Card.zip ( containing the main executable as Gift_Card.exe)


Upon execution, it may copy itself into the %AppData% folder using the same file name as a legitimate Windows file, for example:

%AppData%\smss.exe

Note that the legitimate Windows file also named "smss.exe" exist by default in the Windows system folder.

DDoS:Win32/Dofoil.A may modify the system registry to ensure that its copy executes at every Windows start, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Classes" or "Microsoft" or "ODBC"
With data: "%AppData%\smss.exe"



Payload

Downloads and executes arbitrary files

DDoS:Win32/Dofoil.A injects code into the "svchost.exe" process, which contacts a remote server and receives a response that contains encrypted configuration data. The data received by DDoS:Win32/Dofoil.A contains URLs and execution options. One or more binaries are downloaded from the URLs and decrypted. The binaries are either executed directly after being written to disk in the %Temp% folder or they are loaded and injected directly into certain processes.

In the wild, DDoS:Win32/Dofoil.A has been observed to download arbitrary files from one of the following remote servers:

  • thanksgiving<removed>.ru
  • annemccaffrey<removed>.ru


Performs Distributed Denial of Service attacks

DDoS:Win32/Dofoil.A receives instructions from the remote server to perform distributed denial-of-service (DDoS) attacks against certain websites.



Analysis by Lena Lin

Last update 05 January 2012

 

TOP

Malware :

Family: