Troj/Daemoni-E is a backdoor proxy Trojan that allows a remote intruder to
route internet traffic through the infected computer.
The Trojan consists of two parts, a main part that allows the remote intrusion
and a downloading and installing component that is capable of downloading
new versions of itself or other malicious software from a remote website.
The downloading component will copy itself to the current user's startup folder
and to the Windows system folder and modify the following registry entry so
that it runs on system start:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
This downloading component will also drop a stealthing component as st.exe
to the Windows folder which it will then execute.
At the time of writing, the main part of Troj/Daemoni-E drops two parts of
itself to the Windows system folder as socket.exe and svchostz.exe
The Trojan then creates the following registry entries so that svchostz.exe
will run automatically on system start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Socket Utility
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Socket Utility
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Socket Utility
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Socket Utility
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Socket Utility
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Socket Utility
Troj/Daemoni-E also changes the following registry entry, appending to it so
that svchostz.exe is run automatically:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
The Trojan then executes svchost.exe
Svchost.exe will execute socket.exe to start the proxy and will connect to a
remote website to notify that the computer is vulnerable.