This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects DronDog communicating and requesting information from its controlling server.
When the Trojan is executed, it copies itself to the following location:
%UserProfile%Local Settings\Temporary Internet Files\[RANDOM FILE NAME].exe
It also drops the following file:
Next, the Trojan registers the file usbhdd.sys as the following service:
The above service disables certain programs that monitor the changes of the hard disk.
The Trojan then searches for the following file:
It overwrites the above file with malicious code that downloads other malware from the following remote location:
Next, the Trojan restores the disabled programs that monitor the changes of the hard disk.
The Trojan then deletes the following files:
* %UserProfile%Local Settings\Temporary Internet Files\[RANDOM FILE NAME].exe
- Windows 98
- Windows 95
- Windows XP
- Windows Me
- Windows Vista
- Windows NT
- Windows Server 2003
- Windows 2000
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Restart the computer using the Windows Recovery Console.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan.