Troj/Dermon-D

Please follow the instructions for removing Trojans.

Troj/Dermon-D is a password stealing Trojan for the Windows platform.

Troj/Dermon-D includes functionality to:

- extract stored passwords from the infected computer
- retrieve information from the protected storage areas
- silently download, install and run new software
- send notification messages to remote locations
- inject its code into LSASS.EXE
- log the user's internet browsing habits
- provide a proxy server
- disable other software, including anti-virus, firewall and security related applications

Troj/Dermon-D attempts to disable the following processes:

outpost.exe
zonalm2601.exe
zonealarm.exe

When first run Troj/Dermon-D copies itself to <System>\winserver.exe and creates the following files:

<System>\winserv.dll - this file is detected as Troj/Dermon-D
<System>\winserv32.dll - this file is detected as Troj/Dermon-D

The file winserv.dll is a remote notification DLL component which sends stolen information to a remote website.

The file winserv32.dll is a process injector DLL component which will attempt to inject itself into LSASS.EXE in order to stealth itself.

Troj/Dermon-D also attempts to create the following files:

<System>\perflibs.dat
<System>\winserv.ini
<System>\winserv.dat

These files may be deleted.

The following registry entries are created to run winserver.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
win32 internet server
<System>\winserver.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
win32 internet server
<System>\winserver.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
win32 internet server
<System>\winserver.exe

Troj/Dermon-D may also set the following registry entries to run itself upon running IEXPLORE.EXE:

HKCR\http\shell\open\command
(default)
<Program Files>\Internet Explorer\Iexplore.exe\<path to Trojan>

HKCR\Classes\https\shell\open\command
(default)
<Program Files>\Internet Explorer\Iexplore.exe\<path to Trojan>