Home / malware Trojan:Win32/Dardo.A
First posted on 31 August 2011.
Source: SecurityHomeAliases :
Trojan:Win32/Dardo.A is also known as Troj/Agent-TBY (Sophos), Trojan.FakeAV (Symantec).
Explanation :
Trojan:Win32/Dardo.A is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Top
Trojan:Win32/Dardo.A is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Installation Trojan:Win32/Dardo.A creates the following files on an affected computer:
- <system folder>\dll.dll
- c:\documents and settings\administrator\application data\winspcfg053.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Modifies browser settings Trojan:Win32/Dardo.A locks the Internet Explorer toolbar by making the following registry modification:
Adds value: "Locked"
With data: "1"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Contacts remote hostsThe malware may contact the following remote hosts using port 80:
- realpetropoulos.gr
- www.youtube.com
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 8e27049f2fa4d302213e88e8e3adb8dbbe24eec0.Last update 31 August 2011
