Home / malwarePDF  

TrojanDownloader:Win32/Dofoil.O


First posted on 10 March 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Dofoil.O is also known as Trojan.Tenegour.9 (Dr.Web), Downloader-CRD (McAfee), Troj/Bredo-TZ (Sophos).

Explanation :

TrojanDownloader:Win32/Dofoil.O is a trojan that attempts to download arbitrary files from specified remote servers. This trojan may be encountered as a file attached to a spammed email message.


Top

TrojanDownloader:Win32/Dofoil.O is a trojan that attempts to download arbitrary files from specified remote servers.

Installation

This trojan may be encountered as a file attached to a spammed email message. In the wild, the message content and trojan file name varies among spam campaigns, and uses a social engineering element by referencing credible sources to increase the chance of the recipient executing the trojan. The following are examples of spam campaigns that used varied subject line and file attachments to distribute TrojanDownloader:Win32/Dofoil.O:

  • Spam referencing American Airlines
    • Subject:
      Order has been completed
      Order#36513252
      Order#5733194
      Your Order##5500239
      Your Order#116482832
      Your Order#1767597
      Your Order#83807 has been completed
    • File attachment:
      AA_Ticket.zip
      Delivery_information.zip
      Ticket.zip
      Ticket_AA3412.zip
      Ticket_AA4173.zip
      Ticket_AA4911.zip

  • Spam referencing DHL
    • Subject:
      DHL #Delivery information
      Track your parcel No05451
      Your package can be received
      Your package is available for pickup.NR#66826
    • File attachment:
      Post_Label.zip
      Post_Label_1220US.zip
      Post_Label_9182US.zip
      Post_Label_US8732.zip

  • Spam referencing undelivered mail
    • Subject:
      Canada Post shipment status
      USPS Invoice copy NO#42406547
    • File attachment:
      Delivery_Information_AU.exe
      Post_Label_US2012.zip

  • Spam referencing a "license key" for Adobe InDesign Creative Suite 4
    • Subject:
      InDesign CS4 License key #Order 0028
      InDesign CS4 License key #Order 2203
      InDesign CS4 License key #Order 3910
      Your InDesign CS4 License key here
      Your InDesign CS4 License key Order 0437
    • File attachment:
      License_Key_#5145.zip
      License_Key_#6405.zip
      License_key_ID324.zip
      License_key_ID600.zip
      License_key_ID726.zip

  • Spam referencing FedEx
    • Subject:
      Delivery Error No7766
      Delivery Error No8054
      FedEx Delivery Error No9705
      Fedex Invoice copy NO#9587
      Track your parcel
      Track your shipment NO4820
      You need to get a parcel number 2543
      You need to get a parcel number 78609
      Your package is available for pickup.NO#5153
    • File attachment:
      FedEx_Invoice.zip
      FEDEX_INVOICE_ID191-44.zip
      FEDEX_INVOICE_ID378-45.zip
      Invoice_ID167235.zip
      Invoice_ID267485.zip
      Invoice_ID757731.zip

  • Spam referencing a "sexy photo" in German
    • Subject:
      hallo meine neuer Freund
      Heute ist ein scho"ner Tag! Haben Sie !!!!
    • File attachment:
      sexy_photo.zip
      sexy_photo1322209355.zip


If run, TrojanDownloader:Win32/Dofoil.O drops a copy of the trojan as a file named "csrss.exe" or as a randomly named file, as in the following examples:

  • c:\documents and settings\administrator\application data\csrss.exe
  • c:\documents and settings\administrator\application data\4a07e3.exe


The registry is modified to run the installed trojan at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<variable name>"
With data: "%AppData%\<trojan file name>"

For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Netscape"
With data: "c:\documents and settings\administrator\application data\csrss.exe"

or

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "FlySky"
With data: "c:\documents and settings\administrator\application data\4a07e3.exe"

Other malware, such as DDoS:Win32/Dofoil.A, may be installed concurrently with TrojanDownloader:Win32/Dofoil.O in the affected system.



Payload

Downloads and executes arbitrary files

TrojanDownloader:Win32/Dofoil.O injects code into the Windows system process "svchost.exe" that attempts to connect to a remote server using HTTP protocol. If a connection is successfully established between the affected computer and the remote server, the trojan receives a response that contains encrypted configuration data which may consist of URLs and execution options. One or more binaries are then downloaded and decrypted. In the wild, TrojanDownloader:Win32/Dofoil.O has been observed to communicate with one of the following remote servers for this purpose:

87.229.126.28
87.229.126.29
belgorods.ru
ennriver.in
hohlushki.mcdir.ru
kendoriver.in
labrador2011.ru
myopt.jino.ru
polivar.net
sdfdsfjke.com
shower125222.ru
shower464719.ru
sjiejuhee.com
south27837.ru
south78483825.ru
total236531.ru
total336653.ru
waytraffic.net
wwidow.com
wwidow77.com
yukon2011.ru

The retrieved files are either written to disk in the %Temp% folder and run, or they may be loaded and injected directly into another process.



Analysis by Gilou Tenebro

Last update 10 March 2012

 

TOP

Malware :

Family: