Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Daonol
Detected by Microsoft Defender Antivirus
Aliases: Trojan-PSW.Win32.Kates (Kaspersky) Lando (McAfee) Hacktool.Rootkit (Symantec)
Summary
Win32/Daonol is a family of trojans capable of monitoring network traffic, stealing FTP credentials, preventing access to security Web sites, disabling access to system programs, and redirecting Web searches to sites hosting other malware.
Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Additional Recovery Instructions for Windows XP Systems
Steps to manually clean Win32/Daonol infections from within Windows XP:
- Navigate to Start, click Run, and type the following instruction:
explorer.exe c:\
then click OK or press Enter. - Create a folder named cleanup - from the File menu, select New and then Folder and type cleanup . Press Enter twice to open the newly created folder named cleanup, or double-click on the folder.
- Navigate to Start, click Run, and type the following instruction:
explorer.exe %windir%\system32
then click OK or press Enter. Note that %windir% is intentional and points to the Windows directory as installed on the computer. - In the list of files, look for cmd.exe. Right-click on the file and select Copy, or press Ctrl-C to copy the program to the Windows clipboard.
- Paste the copied file into the cleanup folder - press Alt-Tab to toggle the active window to the cleanup folder and press Ctrl-V to paste the cmd.exe file into this folder.
- Rename the copied cmd.exe executable to c.exe - right-click the copied file and select Rename, and type c.exe.
- Double-click c.exe to open the copied command prompt and type the following instructions in order:
copy %windir%\system32\reg.exe r.exe
r.exe save "HKLM\Software\Microsoft\Windows NT\CurrentVersion" temp.dat
r.exe load HKLM\TempCleanup temp.dat
r.exe query HKLM\TempCleanup\Drivers32 - The last instruction should result in the display of registry values. Malicious registry values will have the following common properties:
- The file name has the extension .bak, .tmp, .old or .dat
- The file path includes the full path including drive letter
- The file path includes the string \..\
- The value data may include some random strings such as 0yAAAAAAA
Note that in this example, the last entry is the malicious registry value:
midimapper REG_SZ midimap.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
midi9 REG_SZ C:\Windows\..\kft.bak 0yAAAAAAAA - Write down the malicious registry value and data details on paper, as in the following example:
value = midi9
file = C:\Windows\..\kft.bak - Type the following instructions to delete the malicious registry key:
r.exe delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion” /v <value>
where <value> is the value that you have written down in step 9. For the above example the instruction would be:
r.exe delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion” /v midi9 - Delete the Win32/Daonol file by typing the following instruction:
delete "C:\Windows\..\<file>"
where <file> is the value that you have written down in step 9. For the above example the instruction would be:
delete "C:\Windows\..\kft.bak" - Restart your computer.
Follow us
