Win32/Dande [Threat Name] go to Threat
Win32/Dande.A [Threat Variant Name]
|Detection created||Jan 09, 2017|
|Signature database version||14741|
The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.
When executed, the trojan creates the following files:
- %system%\drivers\%variable1% (11776 B)
- %system%\drivers\%variable2%.sys (10616 B, Win32/Dande.A)
- %system%\%variable3% (0 B)
- %system%\%variable4% (22463 B)
A string with variable content is used instead of %variable1-5% .
The name of the file may be based on the name of an existing file or folder.
Installs the following system drivers:
This causes the trojan to be executed on every system start.
The following Registry entries are set:
- "ImagePath" = "system32\drivers\%variable2%.sys"
- "DisplayName" = "%variable2%"
- "Type" = 1
- "Start" = 1
- "ErrorControl" = 0
- "ID" = "%variable5%"
- "Desc" = "%system%\%variable3%"
- "DriverPackageIdPkg" = "\??\%system%\%variable4%"
- [HKEY_CURRENT_USER\Control Panel\Appearance]
- "SmStatus" = "%variable2%"
The following files are deleted:
The trojan creates and runs a new thread with its own program code within the following processes:
The trojan terminates itself if it detects any application with one of the following text in the window name:
- PROCESS MONITOR
- FILE MONITOR
- REGISTRY MONITOR
- PROCESS EXPLORER
- INTERACTIVE DISASSEMBLER
- API MONITOR
- HTTP SPY
The following information is collected:
- computer name
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan checks for Internet connectivity by trying to connect to the following addresses:
The trojan generates various URL addresses. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- delete files