Event ID - 1010

Port No1010
Service NameSurf
RFC Doc0
ProtocolTCP
DescriptionSurf
Reference LinkMore INformation
AttackName: Doly Trojan

Server Features:
1. Change computer name
2. Change owner name
3. Change resolution to 640/480
4. Change the title color on open windows to a random color
5. Change volume to maximum or minimum
6. Close all windows
7. Close server Chat with server
8. Computer run time
9. Disable double click
10. Disconnect server from internet
11. Display fatal error plus customizable message
12. Display FBI screen
13. File manager
14. Get ICQ password
15. Get ICQ UIN
16. Get passwords
17. Get user info
18. Hide/show all drives
19. Hide/show find dialog (Start menu..find)
20. Hide/show mouse
21. Hide/show run dialog (Start menu..run)
22. Hide/show task bar
23. ICQ notify IRC notify
24. Key logger on/off
25. Move mouse
26. Open/close cd-rom
27. Open FTP server
28. Password protect server (password deleted if server not connected to within 4 days)
29. Remove windows background
30. Run program (visible to user or hidden)
31. Screen capture
32. Send key or string
33. Send to URL
34. Set all window names to another name
35. Set systems color
36. Shell spy
37. Sleep
38. Show/stop error screen
39. Shutdown windows
40. Start/stop crazy mouse
41. Swap/unswap mouse buttons (Left button becomes right)
42. View running applications
43. View, clear or change clipboard text

Comments:
The Doly Trojan 2.0 has been released as a beta and appears to be the last Doly Trojan. This version came with a brand new client and a server that was reduced to only 104 kilobytes. Doly Trojan 2.0 does not infect computers. The programmers suggested merging it with other files. Also the screen capture feature needs an extra DLL file to work, which needs to uploaded by the person using the server. The lack of infection capabilities and non-working features mean version 1.70 SE is probably encountered more often then this version.

HOw To Remove:
1. Remove the Ms tesk keys in the registry located at HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run. Then delete Enable, parameters, path and startup keys in the registry located at HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\Ava. Which can be done with regedit or any other registry editing program.
2. Reboot the computer or close mdm.exe in the program files directory (Usually c:\program files\) and in the windows start up directory (Usually c:\windows\start menu\programs\startup\). Also reboot or close Kernal32.exe in the windows system directory.
3. Delete the trojan file Kernal32.exe in the windows system directory. Also delete mdm.exe in the windows start up directory (Usually c:\windows\start menu\programs\startup\) and in the program files directory (Usually c:\program files\). If any of the files can not be deleted or closed then reboot the computer into DOS mode and delete them there.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.