Troj/Daemoni-H is a proxy Trojan.
Troj/Daemoni-H consists of two executables which are typically installed
to the Windows system folder as scchost.exe and scchostc.exe.
A registry entry may be created to run scchost.exe automatically on startup.
A registry entry is also created under:
HKLM\SOFTWARE\Microsoft\Mrdo\winid
The scchost.exe component waits for an active internet connection and then
launches "scchostc.exe -p<port>" where <port>: is a random port within
the range 10,000 - 59,000. scchost.exe then sends a notification message to a
remote location, specifying the IP address of the current computer and the
random port.
The scchostc.exe component runs continuously in the background acting as a
proxy server on the random port.
Data can be routed to other computers via the proxy, in order to bypass access
restrictions and to hide the IP address of the source computer.
The proxy may be used to forward SPAM email.