TrojanDownloader:Win32/Dofoil.D

Encyclopedia entry
Updated: Apr 27, 2011  |  Published: Apr 27, 2011

Aliases

W32/Trojan3.CMI (Command)
• Trojan.Agent!AwMD52+pVwM (VirusBuster)
• Win32/Bredolab.ARL (CA)
• Trojan.Tenagour.3 (Dr.Web)
• Trojan.Win32.Oficla (Ikarus)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated: Definition: 1.121.1275.0 Released: Mar 10, 2012

Detection initially created: Definition: 1.101.373.0 Released: Mar 29, 2011

---

On this page

Summary|Symptoms|Technical Information|Prevention|Recovery

---

 

Summary

TrojanDownloader:Win32/Dofoil.D is a trojan that may arrive as a spammed email attachment. It downloads arbitrary files from a remote server.

Top

---

 

Symptoms

System changes

The following system changes may indicate the presence of this malware:

• You may have received an attached file in an email that has the following, or a similar, file name:
  
  • New_Password_IN46537.zip
  • Invoice_Copy.zip
  • Facebook_Password.zip

Top

---

 

Technical Information (Analysis)

TrojanDownloader:Win32/Dofoil.D is a trojan that may arrive as a spammed email attachment. It downloads arbitrary files from a remote server.

Installation

TrojanDownloader:Win32/Dofoil.D is a trojan that may arrive as a spammed email attachment. It may have the following file names:

• New_Password_IN46537.zip
• Invoice_Copy.zip
• Facebook_Password.zip

Payload

TrojanDownloader:Win32/Dofoil.D may connect and download arbitrary files from one of the following remote servers:

• 01eqyc.com
• 0bv2ga.com
• 123getos.tk
• 3b3estudio.com
• addimgs.com
• aman-shhhids.com
• anub.net
• averaph.com
• bgnt.net
• blpk.net
• bzsx.net
• carsero.com
• demorollz.com
• derj.net
• dnsfiarf<obfuscated>ktorylockup.in
• domialepof.ru
• elit333.net
• feelingmoney.com
• fkhfgfg.tk
• gme.cz.cc
• goodtraff.com
• goodyeartiresisgood.in
• helplinuxnow.tk
• hithere.vv.cc
• hmbpcomanyweb431.com
• hxlb.net
• in-in.in
• interviewbuy.ru
• kaza.cz.cc
• linuxhelpnow.tk
• mailaccaunt1.co.cc
• mailsystem256.co.cc
• megasexf<obfuscated>k.com
• mialedot.ru
• mialepromo.ru
• miminoprost.net
• minakala.com
• msantispam-srv2.com
• myldrpanel.com
• news-banner-net.com
• oemsoftbox.com
• passportu.cn
• phe-phe.com
• plyx.net
• polidoli200.com
• popirosa.tk
• porohh.net
• profmiale.ru
• pytt.net
• sacv.net
• sancan.in
• searchgood.net
• searchnew.net
• ssn-much.com
• suhont.com
• summer-ciprys.com
• system16286.in
• systemupdatewins.in
• teonflex1.tk
• thedomonisterioster.info
• traffic-send-poli.in
• tynv.net
• ventoushd.net
• www.capodeicapi.eu
• www.helplinuxnow.org
• xyxyxy.ru
• yostat100.ru
• zastolbis.ru
• zdesestvareznezahodi.com
• znakomie10.ru

Analysis by Jireh Sanico