Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

You can download the removal tool here .
Short description
Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
  • ..\%currentfolder%\%random1%.%random2%
Note:
"..\" denotes the folder one level higher in the file system tree. A string with variable content is used instead of %random1-2% .

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Drivers32]
    "aux2" = "%currentfolder%\..\%random1%.%random2%"
Information stealing
Win32/Daonol.C is a trojan that steals passwords and other sensitive information. The following information is collected:
  • FTP accounts data
The data is saved in the following file:
  • %system%\sqlsodbc.chm
Other information
The trojan blocks access to any domains that contain any of the following strings in their name:
  • Adob
  • AVG
  • AVPU
  • CAUp
  • clamav
The trojan hooks the following Windows APIs:
  • CreateProcessW [kernel32.dll]
  • connect [ws2_32.dll]
  • send [ws2_32.dll]
  • WSARecv [ws2_32.dll]
  • WSASend [ws2_32.dll]
  • recv [ws2_32.dll]
The trojan terminates processes with any of the following strings in the name:
  • .bat
  • .reg
  • reged
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
  • gmer
  • le38
The trojan can redirect results of online search engines to web sites that contain adware.

The trojan can download and execute a file from the Internet.