Troj/Dagonit-A is a multicomponent backdoor Trojan for the Windows platform that allows unauthorized remote access through the randomly open TCP port.
The Trojan creates a user account with the name Service thas is used by the intruder to take over a control of the infected computer.
When Troj/Dagonit-A is installed the following files are created:
<current folder>\dali.reg
<current folder>\dalia2.exe
<current folder>\system.bat
<current folder>\winspool.exe
<current folder>\wpap.exe
where wpap.exe is detected as Troj/Wpap-A.
Troj/Dagonit-A may attempt to replace an original winspool.exe with the Trojan file.
Troj/Dagonit-A sets a number of registry entries including the following:
HKLM\System\CurrentControlSet\Services\RDSessMgr
Start
2
HKLM\System\CurrentControlSet\Services\TermService
Start
2
HKLM\System\CurrentControlSet\Services\TlntSvr
Start
2
HKLM\System\CurrentControlSet\Services\lanmanserver
Start
2
Thus making sure that the following services are started at the restart:
Remote Desktop Help Session Manager
Terminal Services
Telnet
Server
Also the Trojan sets the following registry entries in attempt to modify security settings:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
0
TSAdvertise
1
IdleWinStationPoolCount
1
TSAppCompat
1
TSEnabled
1
TSUserEnabled
1
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
EnableConcurrentSessions
0
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
\WinStations\RDP-Tcp
fEnableWinStation
1
MaxInstanceCount
-1
Troj/Dagonit-A may attempt to delete the following files:
<System>\dllcashe\winlogon.exe
<System>\dllcashe\termsrv.dll
<System>\dllcashe\mstscax.dll