Trojan.Daonol!gen1

21 December 2010 Trojan 0 Comment

Trojan.Daonol!gen1 is a generic detection for computer threats that was identified to be a part of Trojan.Daonol family. Files detected as Trojan.Daonol!gen1 are compromised and deemed dangerous. We encourage users to do a complete virus scan immediately to remove this Trojan.

Damage Level: Low

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics

• Trojan.Daonol!gen1 modifies certain registry entries to run itself when Windows starts.
• The Trojan will inject malicious code to some processes.
• It will prevent process that contains extensions like .com, .bat, .reg, .cmd, .reged.
• This Trojan can redirect search engine result to web site that can further harm the computer.

Distribution
Trojan.Daonol!gen1 primarily spread through spam operation. It is either in the form of email or Internet campaign. Authors of this Trojan also embed the code into downloadable executable files that are mostly hosted on unsecured file-sharing networks.

Modified Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"aux" = "%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\"midi9" = "%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS] [RANDOM CHARACTERS]"

Associated Files and Folders:

%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS] 

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan.Daonol!gen1, open your antivirus application and update the virus definition file.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Scan with Norton Power Eraser:

Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Trojan.Daonol!gen1. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.

Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.