|
| Name: | Doly Trojan |
| Aliases: | Backdoor-AZ, |
| Ports: | 21, 1010, 1011, 1012, 1015, 1016, 2345 |
| Files: | Doly1.1.zip - Doly1.2.zip - 3,977,753 bytes Doly135.zip - 5,942,944 bytes Doly15.zip - 4,348,735 bytes Doly16.zip - 2,627,852 bytes Doly_Trojan_v17.zip - 842,982 bytes Doly17_Server.zip - 172,912 bytes Doly2.0.zip - Send_to_victim.zip - 2,386,049 bytes Send_to_victim2.zip - 2,392,257 bytes Send_to_victim3.zip - 2,361,750 bytes Doly_Client[SE].zip - 844,595 bytes Doly_Server[SE].zip - 186,105 bytes Dolytrojan.exe - 251,904 bytes Doly.exe - Doly1.2.exe - 2,004,818 bytes Doly135.exe - 2,813071 bytes Doly15.exe - 1,990,448 bytes Doly16.exe - 1,463,805 bytes Setup.exe - 2,049,807 bytes Ssetup.exe - 1,271,877 bytes Ssetup.exe - 2,454,690 bytes Ssetup.exe - 3,226,540 bytes Ddoly121.zip - 406 bytes Dhacker.exe - 45,056 bytes Download.exe - 2,429,558 bytes Interactive.exe - 2,398,769 bytes Setup.exe - 436,227 bytes Setup.exe - 2,423,695 bytes Ndc.exe - 204,800 bytes Nds.exe - 106,496 bytes Mdm.exe - Tesk.exe - 169,472 bytes Tesk.sys - Mstesk.exe - Kernal32.exe - Iecookie.exe - Sys.exe - Sys.lon - Send_to_victim.zip - 2,386,029 bytes Send_to_victim2.zip - 2,392,257 bytes Send_to_victim3.zip - 2,361,750 bytes Vbrun60.exe - [1 Mb] |
| Created: | April 1999 |
| Requires: | Vbrun60.exe - is required to run Dhacker.exe. An extra .dll file is needed to run the screen capture feature on version 2.0. |
| Actions: | Remote Access / Keylogger / IRC trojan |
| | Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory. |
| Versions: | 1.1, 1.2, 1.21, 1.3, 1.35, 1.5, 1.6, 1.7, 1.7 [SE], 2.0beta, |
| Registers: | HCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_USER\.Default\Software\Marabilis\ICQ\Agent\Apps\ |
| Notes: | Works on Windows 95, 98 and NT. Please note that not all versions work on NT. Dhacker.exe is a Doly 1.6 password cracker and Vbrun60.exe is only needed if you want to run it (written in Visual Basic 6). Master Password for versions 1.6 and 1.7 is ""Sarit"". |
| Country: | written in Israel |
| Program: | Written in Visual Basic 6. |
 Using the Process Monitor from AATools, you will see whether any foreign
programs are running on your computer. If you find some unwanted program, you
can terminate it by clicking the 'Terminate Process' button on the Toolbar.
Using the AATools Network Monitor, you can see what ports are in use on
your local PC for connection with remote systems (LAN/Internet). On Windows
NT/2000/XP the Network Monitor will display you the services that are active on
the ports, and map the ports to their respective applications. If you register
port probes directed against ports that are normally not used, it is possible
that someone is trying to connect to a Trojan inside your network. Using the
Registry Cleaner (Startup section) from AATools, you will see
the list of programs that are registered under Run, RunOnce, RunOnceEx and
RunService registry keys. So you can find out what programs are started behind
your back. You should check these programs to see they are legitimate ones but
not Trojans programs.
0-C | D-H | I-N
| O-S | T-Z
If you have any questions or information about ports used by Trojans not
listed above, please contact us. |
