Trojan.Win32.Dasmin.a

From Total Malware Info

It is a Trojan, which is downloading other malicious programs to a computer withou user's knowledge and launches them for execution. It is a Windows application (PE-EXE file). Its size is 15,872 bytes. It is written in C++.

Installation

The Trojan creates copies of its file in the Windows directory under names:

%System%\JDBGMRG.EXE
%System%\AVIRCHK.EXE

The Trojan sets attribute "hidden" for these files, also it sets a randomly selected date of creation of the files. In order to start automatically each time you start the system, the Trojan creates the links to its executable files in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfigr"="%System%\JDBGMRG.EXE"
"VirusCheckII"="%System%\AVIRCHK.EXE"
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MSConfigr"="%System%\JDBGMRG.EXE"
"VirusCheckII"="%System%\AVIRCHK.EXE"

Payload

Once launched, the trojan reads the value of the "MSAdmin" registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"MSAdmin"= 
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"MSAdmin"= 

The Trojan terminates the process of the file read from the registry key and removes its body. To securely delete a file (for a family of Windows 9x) it modifies the system file "WinInit.Ini":

%WinDir%\ WinInit.Ini

by adding the line:

[Rename]
nul=<the filename obtained from the registry key>

The Trojan creates a unique identifier with the following name to control uniqueness of its process:

{05C13573-B449-4e0b-83F5-7FD612E378E9}

In order to hide its process (for a family of Windows 9x) uses an undocumented function:

RegisterServiceProcess

After this, the Trojan checks if a flag in the registry key is set:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"StartupID"= 

If the value of the parameter "StartupID" was a string "off", then the Trojan connects to the FTP-server for a period of 6 minutes,and downloads the file from it:

ftp://001667.com/loghi1/info.txt

The file is saved in the Windows system directory (it is deleted after being used):

%System%\dmmstp.tmp

The contents of the file is saved as the value of registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"StartupID"= 

If the option "StartupID" is absent or its value differed from the string "off", then the Trojan performs the following:

1. It creates a thread, which in an infinite loop creates copies of its body and adds entries in the system registry. The names of the copies and autorun keys are described in the "Installation" section.
2. It downloads the file from the FTP-server:

   ftp://001667.com/loghi1/host/hosts.txt
   

   The Trojan replaces the contents of the file "hosts" withe the downloaded contents, thus the Trojan is able to block or redirect the user being visiting various Internet sites:

   %System%\drivers\etc\hosts
   

3. It downloads the file:

   ftp://001667.com/loghi1/popup/popup.ini
   

   It saves the file in the system directory:

   %System%\dmmpop.tmp
   

   After start, it removes the downloaded file.
4. It downloads the file:

   ftp://001667.com/loghi1/sethp/hp.ini
   

   It replaces the values of the following registry keys with the content of the downloaded file, doing so the Trojan changes Internet Explorer settings:

   [HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
   "Local Page"= 
   "Start Page"= 
   "Search Page"= 
    
   [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   "Default_Page_URL"= 
   "Default_Search_URL"= 
   "Search Page"= 
   "Start Page"= 
   

5. It downloads the file:

   ftp://001667.com/loghi1/uninstall/uninstall.ini
   

   The contents of the file is saved as the values of the registry keys:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "MSAdmin"= 
    
   [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   "MSAdmin"= 
   

6. The Trojan connects to the following server:

   http://77.88.21.3/index.htm
   

   The Trojan also adds an entry to the system registry, which depends on the current date:

   [HKLM\Software\Microsoft\Windows NT\CurrentVersion]
   "OEMCurrentVersion" = 
   

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Using the Windows Task Manager, terminate the Trojan process.
2. Terminate the processes:

   JDBGMRG.EXE
   AVIRCHK.EXE
   

3. Delete the following files:

   %System%\JDBGMRG.EXE
   %System%\AVIRCHK.EXE
   

4. Delete the following keys in the system registry:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "MSConfigr"="%System%\JDBGMRG.EXE"
   "VirusCheckII"="%System%\AVIRCHK.EXE"
   "MSAdmin"= 
    
   [HKLM\Software\Microsoft\Windows NT\CurrentVersion]
   "StartupID" = 
    
   [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   "MSConfigr"="%System%\JDBGMRG.EXE"
   "VirusCheckII"="%System%\AVIRCHK.EXE"
   "MSAdmin" = 
   

5. Restore or remove the values in the following system registry keys:

   [HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
   "Local Page" = 
   "Start Page" = 
   "Search Page" = 
    
   [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   "Default_Page_URL" = 
   "Default_Search_URL" = 
   "Search Page" = 
   "Start Page" = 
   

6. If necessary, restore the contents of the file:

   %System%\etc\hosts
   

   to the following:

   127.0.0.1 localhost
   

7. Clean the Temporary Internet Files directory:

   %Temporary Internet Files%
   

8. Perform a full system scan using an antivirus with updated anti-virus databases.