Win32/Dande [Threat Name] go to Threat

Win32/Dande.A [Threat Variant Name]

Category trojan
Size 128528 B
Detection created Jan 09, 2017
Detection database version 14741
Aliases BackDoor.Dande.61 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

When executed, the trojan creates the following files:

  • %system%\­drivers\­%variable1% (11776 B)
  • %system%\­drivers\­%variable2%.sys (10616 B, Win32/Dande.A)
  • %system%\­%variable3% (0 B)
  • %system%\­%variable4% (22463 B)

A string with variable content is used instead of %variable1-5% .


The name of the file may be based on the name of an existing file or folder.


Installs the following system drivers:

  • %system%\­drivers\­%variable2%.sys

This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­services\­%variable2%]
    • "ImagePath" = "system32\­drivers\­%variable2%.sys"
    • "DisplayName" = "%variable2%"
    • "Type" = 1
    • "Start" = 1
    • "ErrorControl" = 0
    • "ID" = "%variable5%"
    • "Desc" = "%system%\­%variable3%"
    • "DriverPackageIdPkg" = "\­??\­%system%\­%variable4%"
  • [HKEY_CURRENT_USER\­Control Panel\­Appearance]
    • "SmStatus" = "%variable2%"

The following files are deleted:

  • %system%\­drivers\­RpcSsPrt.sys
  • %system%\­drivers\­isaPnpPrt.sys

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe

The trojan terminates itself if it detects any application with one of the following text in the window name:

  • PROCESS MONITOR
  • FILE MONITOR
  • REGISTRY MONITOR
  • PROCESS EXPLORER
  • INTERACTIVE DISASSEMBLER
  • DEBUGVIEW
  • WINDBG
  • SYSER
  • OLLYDBG
  • CMPDISASM
  • API MONITOR
  • FIDDLER
  • WEBPROFILER
  • HTTP SPY
  • TCPVIEW
  • WIRESHARK
Information stealing

The following information is collected:

  • computer name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • http://www.microsoft.com

The trojan generates various URL addresses. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete files

Please enable Javascript to ensure correct displaying of this content and refresh this page.