DARKDDOSER
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
DARKDDOSER, known as ADDNEW and DDOSER, is a Russian-built tool that has the capability to steal passwords stored in Mozilla Firefox browsers.
Variants can perform several DDoS attacks. They listen to certain ports over TCP to send information, report the infection, and receive commands from malicious users.
DarkDDoser is also known to download Ghost RAT, the notorious malware which have been used in the Aurora attacks on Google, Adobe, and other large companies.
TECHNICAL DETAILS
Yes
Installation
This worm drops the following files:
- {Drive Letter}:\autorun.inf
It drops the following copies of itself into the affected system:
- %Application Data%\Microsoft\svchost.exe
- {Drive Letter}:\svchost.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Other System Modifications
This worm adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
svchost.exe = "%Application Data%\Microsoft\svchost.exe"
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}logdns.{BLOCKED}me.net
- {BLOCKED}acks234.{BLOCKED}p.info