Follow:

 

Win32/Dofoil


Microsoft security software detects and removes this family of threats.

This family of trojans can download and run other malware.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Dofoil is a family of trojans that connects to a remote site and downloads and executes arbitrary files.

Installation

Win32/Dofoil may copy itself to the Windows startup folder, for example:

  • <startup folder>\dxdiag.exe
  • <startup folder>\lxdiag.exe
  • <startup folder>\ctfmon.exe
  • <startup folder>\gefreg.exe

Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.

It sets the "read-only" and "system attributes" for its copy.

Some variants may also copy themselves in the %appdata% folder using the same file names as legitimate Windows files, for example:

  • %appdata%\csrss.exe
  • %appdata%\smss.exe

Note that legitimate Windows files also named "csrss.exe" and "smss.exe" exist by default in the Windows system folder.

They may then modify the registry to ensure that their copy runs every time a user logs on, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Microsoft"
With data: "%appdata%\csrss.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"
With data: "%appdata%\smss.exe"

The value used in the registry entry may be any of the following:

  • adobe
  • Classes
  • EPL SHEET
  • FlySky
  • Intel
  • Local AppWizard-Generated Applications
  • Microsoft
  • Netscape
  • ODBC
  • Policies
Payload

Downloads and executes arbitrary files

Win32/Dofoil injects code into "svchost.exe", which contacts a remote server and receives a response that contains encrypted configuration data. The data received by Win32/Dofoil contains URLs and execution options. One or more binaries are downloaded and decrypted. The binaries are either executed directly after being written to disk in the %Temp% folder. Alternatively, they may be loaded and injected directly.

Win32/Dofoil may also use a randomly named file name with the extension ".dat" for downloaded plugin DLLs. Plugins are saved in the Windows startup folder, for example:

  • <startup folder>\1a28902a88.dat

It sets the "read-only", "hidden", and "system" file attributes for the downloaded plugins.

TrojanDownloader:Win32/Dofoil attempts to load all plugin DLLs found on disk when it is run.

In the wild, Win32/Dofoil has been observed to download arbitrary files from one of the following remote servers:

  • 01eqyc.com
  • 0bv2ga.com
  • 123getos.tk
  • 3b3estudio.com
  • addimgs.com
  • aman-shhhids.com
  • anub.net
  • averaph.com
  • bgnt.net
  • blpk.net
  • bzsx.net
  • carsero.com
  • demorollz.com
  • derj.net
  • dnsfiarf<obfuscated>ktorylockup.in
  • domialepof.ru
  • elit333.net
  • feelingmoney.com
  • fkhfgfg.tk
  • gme.cz.cc
  • goodtraff.com
  • goodyeartiresisgood.in
  • helplinuxnow.tk
  • hithere.vv.cc
  • hmbpcomanyweb431.com
  • hxlb.net
  • in-in.in
  • interviewbuy.ru
  • kaza.cz.cc
  • linuxhelpnow.tk
  • mailaccaunt1.co.cc
  • mailsystem256.co.cc
  • megasexf<obfuscated>k.com
  • mialedot.ru
  • mialepromo.ru
  • miminoprost.net
  • minakala.com
  • msantispam-srv2.com
  • myldrpanel.com
  • news-banner-net.com
  • oemsoftbox.com
  • passportu.cn
  • phe-phe.com
  • plyx.net
  • polidoli200.com
  • popirosa.tk
  • porohh.net
  • profmiale.ru
  • pytt.net
  • sacv.net
  • sancan.in
  • searchgood.net
  • searchnew.net
  • ssn-much.com
  • suhont.com
  • summer-ciprys.com
  • system16286.in
  • systemupdatewins.in
  • teonflex1.tk
  • thedomonisterioster.info
  • traffic-send-poli.in
  • tynv.net
  • ventoushd.net
  • www.capodeicapi.eu
  • www.helplinuxnow.org
  • xyxyxy.ru
  • yostat100.ru
  • zastolbis.ru
  • zdesestvareznezahodi.com
  • znakomie10.ru
Additional information

Win32/Dofoil may arrive as an attachment to a spammed email message. The following are examples of file names used for the attachment:

  • New_Password_IN46537.zip
  • Invoice_Copy.zip
  • Facebook_Password.zip

Analysis by Scott Molenkamp


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • You may have received an attached file in an email that has the following, or a similar, file name:
    • New_Password_IN46537.zip
    • Invoice_Copy.zip
    • Facebook_Password.zip
  • The following files may be present in the Windows startup folder:
    • <startup folder>\dxdiag.exe
    • <startup folder>\lxdiag.exe
    • <startup folder>\ctfmon.exe
    • <startup folder>\gefreg.exe
    • %appdata%\csrss.exe
    • %appdata%\smss.exe

Prevention


Alert level: Severe
This entry was first published on: Apr 27, 2011
This entry was updated on: May 13, 2014

This threat is also detected as:
No known aliases