Win32/Daurso is a family of trojans that attempts to steal sensitive information, including passwords and FTP authentication details from affected computers. This family targets particular FTP applications and also attempts to steal data from Protected Storage.
In the wild, we have observed Win32/Daurso being installed onto affected computers by variants of Win32/Bredolab
. It may be installed to the following location:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
When run, Win32/Daurso creates the following mutex to ensure that multiple instances of Daurso do not run simultaneously:
Steals sensitive information
Win32/Daurso queries the registry and traverses folders and files found in the system to look for sensitive information that it later sends to a remote address. It also targets Protected Storage in this manner.
Win32/Daurso has been observed to specifically target the following applications:
CoffeCup Free FTP
FTP Control 4
In the wild, Win32/Daurso has been observed sending captured information to the following remote hosts:
Analysis by Scott Molenkamp