Follow:

 

TrojanDownloader:Win32/Dofoil.T


Microsoft security software detects and removes this threat.

This threat can download other malware onto your PC, including threats that steal your user names and passwords.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat can be installed from a .zip file attached to a spam email or by exploit kits, such as FlashPack. We have also seen it installed by other malware, such as Win32/Zemot.

It installs a copy of itself using a random file and folder name to %APPDATA%, for example %APPDATA%\jhwdwcib\rttavjuv.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "<Random value>", for example "Microsoft", or "WinRar"
With data: "%APPDATA%\<random folder name>\<random file name. ", for example %APPDATA%\jhwdwcib\rttavjuv.exe.

This threat checks for an Internet connection by connecting to www.msn.com.

The malware tries to avoid analysis by checking if it is running in a sandbox environment. If it detects that it is running in a sandbox it can hibernate indefinitely. It checks for a sandbox environment by: 

  • Checking if its file name is “sample.exe”
  • Calling GetVolumeInformationA() to check if its running in sandbox environment specific to the following malware analysis systems:
    • Malwr
    • ThreatExpert
  • Checking if the following dynamic-link library files are loaded:
    • sbiedll – Sandboxie DLL
    • dbghelp – Windows Debug Help Library
  • Reading the following registry to get the serial ID of the hard disk: “
    • HKLM\System\CurrentControlSet\Services\Disk\Enum\0
  • Checking if your hard disk serial ID contains one of the following strings:
    • qemu – Qemu emulator
    • virtual - Virtual Box, Hyper-V
    • vmware - VMware
    • xen – Open source hypervisor
Payload

Downloads other malware

This threat can download and run other malware onto your PC. We have seen it download malware from the following families:

Contacts a malicious hacker

This threat collects information such as your PC:

  • Name
  • Volume serial ID

It sends this information, including a seller id as part of its URL, to its command and control (C&C) server and tries to hide its server address from analysis. To do this it enumerates the registry entries under the following key:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

It then gathers URLs from data within the following registry values:

  • HelpLink
  • URLInfoAbout

It sends HTTP POST requests with the stolen information to the URLs that it finds, at the same time as its C&C server. The network communication is usually encrypted with a custom algorithm.

The remote C&C responds with encrypted data that includes commands and other payload binaries or plugins.

We have seen this threat contact the following C&C servers:

  • bulbushkinho.org/b<removed>
  • zoneserveryu<removed>.com

Additional information

The malware can create a mutex using your PC name and volume serial number. This can be an infection marker to prevent more than one copy of the threat running on your PC.

Analysis by Rex Plantado


Symptoms

Alerts from your security software might be the only symptom.


Prevention


Alert level: Severe
First detected by definition: 1.143.750.0
Latest detected by definition: 1.199.490.0 and higher
First detected on: Jan 24, 2013
This entry was first published on: Jan 24, 2013
This entry was updated on: Dec 01, 2014

This threat is also detected as:
  • Trojan/Win32.Xema (AhnLab)
  • Trojan-Banker.Win32.Fibbit.rq (Kaspersky)
  • W32/Trojan.JQOQ-3223 (Command)
  • Trojan horse Crypt_vb.ARV (AVG)
  • TR/Dropper.VB.16854 (Avira)
  • W32/Fibbit.RQ!tr (Fortinet)
  • WORM_ASSMY.A (Trend Micro)