Win32/Dofoil is a family of trojans that connects to a remote site and downloads and executes arbitrary files.
Installation
Win32/Dofoil may copy itself to the Windows startup folder, for example:
- <startup folder>\dxdiag.exe
- <startup folder>\lxdiag.exe
- <startup folder>\ctfmon.exe
- <startup folder>\gefreg.exe
Note: <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It sets the "read-only" and "system attributes" for its copy.
Some variants may also copy themselves in the %appdata% folder using the same file names as legitimate Windows files, for example:
- %appdata%\csrss.exe
- %appdata%\smss.exe
Note that legitimate Windows files also named "csrss.exe" and "smss.exe" exist by default in the Windows system folder.
They may then modify the registry to ensure that their copy runs every time a user logs on, for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Microsoft"
With data: "%appdata%\csrss.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Policies"
With data: "%appdata%\smss.exe"
The value used in the registry entry may be any of the following:
- adobe
- Classes
- EPL SHEET
- FlySky
- Intel
- Local AppWizard-Generated Applications
- Microsoft
- Netscape
- ODBC
- Policies
Payload
Downloads and executes arbitrary files
Win32/Dofoil injects code into "svchost.exe", which contacts a remote server and receives a response that contains encrypted configuration data. The data received by Win32/Dofoil contains URLs and execution options. One or more binaries are downloaded and decrypted. The binaries are either executed directly after being written to disk in the %Temp% folder. Alternatively, they may be loaded and injected directly.
Win32/Dofoil may also use a randomly named file name with the extension ".dat" for downloaded plugin DLLs. Plugins are saved in the Windows startup folder, for example:
- <startup folder>\1a28902a88.dat
It sets the "read-only", "hidden", and "system" file attributes for the downloaded plugins.
TrojanDownloader:Win32/Dofoil attempts to load all plugin DLLs found on disk when it is run.
In the wild, Win32/Dofoil has been observed to download arbitrary files from one of the following remote servers:
- 01eqyc.com
- 0bv2ga.com
- 123getos.tk
- 3b3estudio.com
- addimgs.com
- aman-shhhids.com
- anub.net
- averaph.com
- bgnt.net
- blpk.net
- bzsx.net
- carsero.com
- demorollz.com
- derj.net
- dnsfiarf<obfuscated>ktorylockup.in
- domialepof.ru
- elit333.net
- feelingmoney.com
- fkhfgfg.tk
- gme.cz.cc
- goodtraff.com
- goodyeartiresisgood.in
- helplinuxnow.tk
- hithere.vv.cc
- hmbpcomanyweb431.com
- hxlb.net
- in-in.in
- interviewbuy.ru
- kaza.cz.cc
- linuxhelpnow.tk
- mailaccaunt1.co.cc
- mailsystem256.co.cc
- megasexf<obfuscated>k.com
- mialedot.ru
- mialepromo.ru
- miminoprost.net
- minakala.com
- msantispam-srv2.com
- myldrpanel.com
- news-banner-net.com
- oemsoftbox.com
- passportu.cn
- phe-phe.com
- plyx.net
- polidoli200.com
- popirosa.tk
- porohh.net
- profmiale.ru
- pytt.net
- sacv.net
- sancan.in
- searchgood.net
- searchnew.net
- ssn-much.com
- suhont.com
- summer-ciprys.com
- system16286.in
- systemupdatewins.in
- teonflex1.tk
- thedomonisterioster.info
- traffic-send-poli.in
- tynv.net
- ventoushd.net
- www.capodeicapi.eu
- www.helplinuxnow.org
- xyxyxy.ru
- yostat100.ru
- zastolbis.ru
- zdesestvareznezahodi.com
- znakomie10.ru
Additional information
Win32/Dofoil may arrive as an attachment to a spammed email message. The following are examples of file names used for the attachment:
- New_Password_IN46537.zip
- Invoice_Copy.zip
- Facebook_Password.zip
Analysis by Scott Molenkamp