Backdoor.Doster

Printer Friendly Page

Discovered: July 15, 2004
Updated: July 15, 2004 11:39:43 AM
Systems Affected: Windows

Backdoor.Doster is a backdoor server program that allows unauthorized remote access to a compromised computer and modifies the Hosts file.

Antivirus Protection Dates

  • Initial Rapid Release version July 15, 2004
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version July 15, 2004
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date July 15, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: July 15, 2004
Updated: July 15, 2004 11:39:43 AM
Systems Affected: Windows

Backdoor.Doster is a backdoor server program that allows unauthorized remote access to a compromised computer and modifies the Hosts file.

When the Trojan is executed, it creates the following file
%Windir%\hosts

The Trojan then replaces the hosts file with the dropped hosts file so that any traffic going to the following URLs is redirected to the local computer:
127.0.0.1 008i.com
127.0.0.1 0190-dialer.com
127.0.0.1 1-se.com
127.0.0.1 2fastsearch.net
127.0.0.1 58q.com
127.0.0.1 600pics.com
127.0.0.1 8095.com
127.0.0.1 aifind.cc
127.0.0.1 aifind.info
127.0.0.1 alfa-search.com
127.0.0.1 allneedsearch.com
127.0.0.1 alltheweb.com
127.0.0.1 altavista.com
127.0.0.1 approvedlinks.com
127.0.0.1 auto.ie.searchforge.com
127.0.0.1 awebfind.biz
127.0.0.1 best.royalsearch.net
127.0.0.1 bestpics.net
127.0.0.1 bestpornnews.com
127.0.0.1 boredlife.com
127.0.0.1 casino.com
127.0.0.1 collections.inhost.info
127.0.0.1 collections.inhost2.info
127.0.0.1 connect.online-dialer.com
127.0.0.1 couldnotfind.com
127.0.0.1 cracks.am
127.0.0.1 cracks.am
127.0.0.1 crue.global-counter.com
127.0.0.1 daum.net
127.0.0.1 default-homepage-network.com
127.0.0.1 dia.4-counter.com
127.0.0.1 dikai.com
127.0.0.1 dmoz.org
127.0.0.1 download.buxomatic.com
127.0.0.1 download.tntdialer.com
127.0.0.1 dreamwiz.com
127.0.0.1 excite.com
127.0.0.1 find.microgirls.com
127.0.0.1 find4u.net
127.0.0.1 find4u.net
127.0.0.1 find-itnow.com
127.0.0.1 firstbookmark.com
127.0.0.1 free.sinpussy.com
127.0.0.1 free3xmatures.com
127.0.0.1 freelivesex.org
127.0.0.1 freshvideogals.com
127.0.0.1 gajai.com
127.0.0.1 google.com
127.0.0.1 greg-search.com
127.0.0.1 hand-book.com
127.0.0.1 hao123.com
127.0.0.1 hightcalldialer.com
127.0.0.1 hotbot.com
127.0.0.1 hotsearchbox.com
127.0.0.1 hotwebsearch.com
127.0.0.1 hugesearch.net
127.0.0.1 ie-search.com
127.0.0.1 i-lookup.com
127.0.0.1 in.webcounter.cc
127.0.0.1 install.xxxtoolbar.com
127.0.0.1 iquicksearch.com
127.0.0.1 itseasy.us
127.0.0.1 just.find-itnow.com
127.0.0.1 line-plus.com
127.0.0.1 link.startmake.com
127.0.0.1 lookfor.cc
127.0.0.1 lycos.com
127.0.0.1 maxxxhosters.com
127.0.0.1 msn.com
127.0.0.1 mysearchnow.com
127.0.0.1 nativehardcore.com
127.0.0.1 naver.com
127.0.0.1 nkvd.us
127.0.0.1 novafuck.com
127.0.0.1 ohcorea.com
127.0.0.1 omega-search.com
127.0.0.1 onet.pl
127.0.0.1 porno-links.biz
127.0.0.1 power-search.info
127.0.0.1 qwertysearch123.biz
127.0.0.1 rightfinder.net
127.0.0.1 ruworld.com
127.0.0.1 search.com
127.0.0.1 search.ieplugin.com
127.0.0.1 search.microsoft.com
127.0.0.1 search.msn.com
127.0.0.1 search.psn.cn
127.0.0.1 search-1.net
127.0.0.1 search-and-go.com
127.0.0.1 searchbar.findthewebsiteyouneed.com
127.0.0.1 searchcentrix.com
127.0.0.1 search-dot.com
127.0.0.1 searchforge.com
127.0.0.1 searching-the-net.com
127.0.0.1 searchmyrequest.com
127.0.0.1 search-space.com
127.0.0.1 searchv.com
127.0.0.1 searchxl.com
127.0.0.1 seznam.cz
127.0.0.1 slotch.com
127.0.0.1 spidersearch.com
127.0.0.1 startium.com
127.0.0.1 super-spider.com
127.0.0.1 t.rack.cc
127.0.0.1 teen-biz.com
127.0.0.1 teenhqpics.com
127.0.0.1 teoma.com
127.0.0.1 thehun.com
127.0.0.1 thehun.net
127.0.0.1 therealsearch.com
127.0.0.1 thumberland.com
127.0.0.1 thumbest-traffic.com
127.0.0.1 tits.hardcore4ever.net
127.0.0.1 tonser.4-counter.com
127.0.0.1 ttjj.com
127.0.0.1 viewpornkey.com
127.0.0.1 vse-moe.biz
127.0.0.1 wazzupnet.com
127.0.0.1 webcoolsearch.com
127.0.0.1 websearch.com
127.0.0.1 windowws.cc
127.0.0.1 wisenut.com
127.0.0.1 wmmse.com
127.0.0.1 world-search.biz
127.0.0.1 www.008i.com
127.0.0.1 www.0190-dialer.com
127.0.0.1 www.1-se.com
127.0.0.1 www.2fastsearch.net
127.0.0.1 www.58q.com
127.0.0.1 www.600pics.com
127.0.0.1 www.8095.com
127.0.0.1 www.aifind.cc
127.0.0.1 www.aifind.info
127.0.0.1 www.alfa-search.com
127.0.0.1 www.allneedsearch.com
127.0.0.1 www.alltheweb.com
127.0.0.1 www.altavista.com
127.0.0.1 www.approvedlinks.com
127.0.0.1 www.awebfind.biz
127.0.0.1 www.bestpics.net
127.0.0.1 www.bestpornnews.com
127.0.0.1 www.boredlife.com
127.0.0.1 www.casino.com
127.0.0.1 www.couldnotfind.com
127.0.0.1 www.cracks.am
127.0.0.1 www.cracks.am
127.0.0.1 www.daum.net
127.0.0.1 www.default-homepage-network.com
127.0.0.1 www.dikai.com
127.0.0.1 www.dmoz.org
127.0.0.1 www.dreamwiz.com
127.0.0.1 www.excite.com
127.0.0.1 www.find4u.net
127.0.0.1 www.find4u.net
127.0.0.1 www.find-itnow.com
127.0.0.1 www.firstbookmark.com
127.0.0.1 www.free3xmatures.com
127.0.0.1 www.freelivesex.org
127.0.0.1 www.freshvideogals.com
127.0.0.1 www.gajai.com
127.0.0.1 www.google.com
127.0.0.1 www.greg-search.com
127.0.0.1 www.hand-book.com
127.0.0.1 www.hao123.com
127.0.0.1 www.hightcalldialer.com
127.0.0.1 www.hotbot.com
127.0.0.1 www.hotsearchbox.com
127.0.0.1 www.hotwebsearch.com
127.0.0.1 www.hugesearch.net
127.0.0.1 www.ie-search.com
127.0.0.1 www.i-lookup.com
127.0.0.1 www.iquicksearch.com
127.0.0.1 www.itseasy.us
127.0.0.1 www.line-plus.com
127.0.0.1 www.lookfor.cc
127.0.0.1 www.lycos.com
127.0.0.1 www.maxxxhosters.com
127.0.0.1 www.msn.com
127.0.0.1 www.mysearchnow.com
127.0.0.1 www.nativehardcore.com
127.0.0.1 www.naver.com
127.0.0.1 www.nkvd.us
127.0.0.1 www.novafuck.com
127.0.0.1 www.ohcorea.com
127.0.0.1 www.omega-search.com
127.0.0.1 www.onet.pl
127.0.0.1 www.porno-links.biz
127.0.0.1 www.power-search.info
127.0.0.1 www.qwertysearch123.biz
127.0.0.1 www.rightfinder.net
127.0.0.1 www.ruworld.com
127.0.0.1 www.search.com
127.0.0.1 www.search-1.net
127.0.0.1 www.search-and-go.com
127.0.0.1 www.searchcentrix.com
127.0.0.1 www.search-dot.com
127.0.0.1 www.searchforge.com
127.0.0.1 www.searching-the-net.com
127.0.0.1 www.searchmyrequest.com
127.0.0.1 www.search-space.com
127.0.0.1 www.searchv.com
127.0.0.1 www.searchxl.com
127.0.0.1 www.seznam.cz
127.0.0.1 www.slotch.com
127.0.0.1 www.spidersearch.com
127.0.0.1 www.startium.com
127.0.0.1 www.super-spider.com
127.0.0.1 www.teen-biz.com
127.0.0.1 www.teenhqpics.com
127.0.0.1 www.teoma.com
127.0.0.1 www.thehun.com
127.0.0.1 www.thehun.net
127.0.0.1 www.therealsearch.com
127.0.0.1 www.thumberland.com
127.0.0.1 www.thumbest-traffic.com
127.0.0.1 www.ttjj.com
127.0.0.1 www.viewpornkey.com
127.0.0.1 www.vse-moe.biz
127.0.0.1 www.wazzupnet.com
127.0.0.1 www.webcoolsearch.com
127.0.0.1 www.websearch.com
127.0.0.1 www.windowws.cc
127.0.0.1 www.wisenut.com
127.0.0.1 www.wmmse.com
127.0.0.1 www.world-search.biz
127.0.0.1 www.xgmm.com
127.0.0.1 www.xwebsearch.biz
127.0.0.1 www.yahoo.com
127.0.0.1 www.yourbookmarks.ws
127.0.0.1 xgmm.com
127.0.0.1 xwebsearch.biz
127.0.0.1 yahoo.com
127.0.0.1 yourbookmarks.ws

It then creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Explorer" = "%System%\explorer.exe"

However, it does not copy the explorer.exe file to the %System% folder. Explorer.exe contains functionality to open a back door on TCP port 80.