Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Daonol


Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload Steal information
Detection files published
Description created 16 Apr 2010 12:33:00
Description updated 16 Apr 2010 12:33:00
Malware type TROJAN
Alias Trojan-PSW.Win32.Kates (Kaspersky)
Lando (McAfee)
Hacktool.Rootkit (Symantec)
Trojan Dropper: Win32/Daonol (Microsoft)
Troj/Daonol-Fam (Sophos)
Spreading mechanism EMAIL



After execution the malware drops a DLL into the %User Profile% folder with a random name. A registry key is created, which maps the Windows’ dynamic-link library previously dropped. Any application that calls a sound device would load this DLL. The injected DLL, if loaded into applications such as regedit or notepad.exe, will prevent them from showing a GUI. There are instances of other versions where the trojan injects a thread into Internet Explorer that can spawn outbound TCP connections by hard coded IP addresses to download a supportive trojan.

Payload Details



[ DetectionInfo ]     * Filename: C:\Documents and Settings\135d.bin.     * Sandbox name: .     * Signature name: NOT_SCANNED.     * Compressed: YES.     * TLS hooks: YES.     * Executable type: Application.     * Executable file structure: OK.     * Filetype: PE_I386.  [ General information ]     * File length: 70125 bytes.     * MD5 hash: 135d255bad9b07d340354a0af46851d1.  [ Changes to filesystem ]     * Creates file C:\     * Deletes file c:\sample.exe.     * Creates file C:\p3.bat.     * Deletes file "c:\".     * Deletes file "c:\p3.bat". or     * %User Profile%\xrsgmrm.old  [ Changes to registry ] * Accesses Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32". Or * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32           o midi9 = "%User Profile%\Desktop\..\xrsgmrm.old 0yAAAAAAAA" or    * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows           o LoadAppInit_DLLs = 0x00000001     * HKLM\System\ControlSet001\Control\Session Manager           o PendingFileRenameOperations = Path To Original dropped file     * HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows           o AppInit_DLLs = ""  [ Process/window information ] • Creates process "CMD.EXE".


Norman’s antivirus products are in general able to remove all malicious software that is detected. Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Lumension Malware Cleaner. Please use the latest version of this program from the link below if your Lumension antivirus is unable to clean the infection:

Last Updated: 12 Nov 2015 11:06:10