Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/08/2013
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:45.056 Bytes
MD5 checksum:ab9a66a35901eb2e570813baf547f1f6
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Kaspersky: Trojan-Downloader.Win32.Dofoil.qty
   •  Fortinet: W32/Dofoil.PHY!tr

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Third party control
   • Downloads files
   • Drops a file

Right after execution it runs a windows application which will display the following window:

 Files The following file is created:

%malware execution directory%\%executed file%.txt This is a non malicious text file with the following content:
   • RECIPIENT: Mark Smith
     STATUS OF YOUR ITEM: not delivered
     SERVICE: Standard Shipping
     ITEM NUMBER:U2342364242354-US

 Backdoor Contact server:
One of the following:
   • http://78.133.211.**********:443/%hex number%
   • http://92.60.192.**********:443/%hex number%
   • http://177.70.22.**********:8080/%hex number%
   • http://88.84.162.**********:587/%hex number%

As a result it may send information and remote control could be provided.

 Injection – It injects itself into a process.

    Process name:
   • %SYSDIR%\svchost.exe

   If successful, the malware process terminates while the injected part remains active.

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Gherman on Tuesday, August 13, 2013
Description updated by Andrei Gherman on Tuesday, August 13, 2013

Back . . . .