Troj/Dermon-D is a password stealing Trojan for the Windows platform.
Troj/Dermon-D includes functionality to:
- extract stored passwords from the infected computer
- retrieve information from the protected storage areas
- silently download, install and run new software
- send notification messages to remote locations
- inject its code into LSASS.EXE
- log the user's internet browsing habits
- provide a proxy server
- disable other software, including anti-virus, firewall and security related applications
Troj/Dermon-D attempts to disable the following processes:
outpost.exe
zonalm2601.exe
zonealarm.exe
When first run Troj/Dermon-D copies itself to <System>\winserver.exe and creates the following files:
<System>\winserv.dll - this file is detected as Troj/Dermon-D
<System>\winserv32.dll - this file is detected as Troj/Dermon-D
The file winserv.dll is a remote notification DLL component which sends stolen information to a remote website.
The file winserv32.dll is a process injector DLL component which will attempt to inject itself into LSASS.EXE in order to stealth itself.
Troj/Dermon-D also attempts to create the following files:
<System>\perflibs.dat
<System>\winserv.ini
<System>\winserv.dat
These files may be deleted.
The following registry entries are created to run winserver.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
win32 internet server
<System>\winserver.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win32 internet server
<System>\winserver.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
win32 internet server
<System>\winserver.exe
Troj/Dermon-D may also set the following registry entries to run itself upon running IEXPLORE.EXE:
HKCR\http\shell\open\command
(default)
<Program Files>\Internet Explorer\Iexplore.exe\<path to Trojan>
HKCR\Classes\https\shell\open\command
(default)
<Program Files>\Internet Explorer\Iexplore.exe\<path to Trojan>