1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP DronDog Trojan Activity

HTTP DronDog Trojan Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects DronDog communicating and requesting information from its controlling server.

Additional Information

When the Trojan is executed, it copies itself to the following location:
%UserProfile%Local Settings\Temporary Internet Files\[RANDOM FILE NAME].exe

It also drops the following file:
%System%\drivers\usbhdd.sys

Next, the Trojan registers the file usbhdd.sys as the following service:
usbhdd

The above service disables certain programs that monitor the changes of the hard disk.

The Trojan then searches for the following file:
%System%\userinit.exe

It overwrites the above file with malicious code that downloads other malware from the following remote location:
[http://]1.0803071030.net/[REMOVED]

Next, the Trojan restores the disabled programs that monitor the changes of the hard disk.

The Trojan then deletes the following files:

* %System%\drivers\usbhdd.sys
* %UserProfile%Local Settings\Temporary Internet Files\[RANDOM FILE NAME].exe

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows Vista
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Restart the computer using the Windows Recovery Console.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube