Remove Trojan.Donbot

Posted on: January 28th, 2009

Discovered: January 21, 2009
Known As:

Troj/Spy-BP [Sophos]
Type:

Trojan
Systems Affected:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Recommended Action:
NoAdware can remove Trojan Donbot. Click the link below for your free download & scan your PC now.
Technical Details:

When the Trojan executes, it creates the following files:

* %System%\sysmgr.exe

* %System%\msvcrt2.dll

Next, it creates the following registry entry so that it executes whenever

Windows starts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
    Version\Run\”Microsoft(R) System Manager” = “%System%\sysmgr.exe”

It also creates the following registry entries:

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\

Parameters\”TcpTimedWaitDelay” = “0×0000001E”

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\

Parameters\”MaxUserPort” = “0×00008000″

The Trojan attempts to contact certain IP addresses, which may include one

the following:

* don.hmarhelo.com on TCP port 2251

* 89.149.244.22 on TCP port 2211

* 212.95.32.171 on TCP port 2351

* 66.186.34.98 on TCP port 2485

It may then create a unique session in order to perform the following tasks:

* Download an updated copy of itself

* Download configuration data that contains email addresses and contents for

the spammed emails

The Trojan then attempts to send spam emails with the following characteristics

from the compromised computer:

Message Body:

In Order To Place Your Order:

Phentermine 37.5

Vicodin

Ambien

Anything you need without doctor’s note and overnighted!

To find these and more navigate to this address:

[URL]

Note: [URL] above denotes a URL on one of the following domains:

* [http://]approachtouchedminute200917.com

* [http://]showopenblockes2009.com

* [http://]approachmysteriousminute.com

* [http://]approach-beautiful-human.com

* [http://]showtidyurbanes-area2009.com

* [http://]show-well-behaved-country.com

* [http://]guide-well-behaved-lane.com

* [http://]revealtidyurban-area20090107.com

* [http://]feeling-coming-creatures.com

* [http://]approach-hopeful-minute0917.com
Action Steps:
FREE SCAN: NoAdware can remove Trojan Donbot. Click the link below for your free download & scan your PC now.

MANUAL REMOVAL: Please click here for manual removal instructions.

Posted on Wednesday, January 28th, 2009 at 9:55 am - filed under Blog, Trojan.