Windows Startup Programs database
Startup Programs - Dangerous - D
Home
Features
On-line Guide
Help On-line
Screenshots
Order
Download
Localization
Awards
Support
NI Forum
Mickey Forum
Greatis Forum
Startup Programs
Application Database
Hot!
Download:
RegRun 4.0 beta 2
What's new?
Greatis Home
Subscribe:
The Application Database
suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is
RegRun Startup Optimizer
.
www.startupapps.com
Purchase RegRun Suite
Download RegRun Suite
Search Database for:
RegRun
>
Greatis Startup Application Database
> Dangerous >
D
dadruq.exe
darkftp.exe
darkftp1.0b.exe
darkshadow.trojan.exe
dat92003.exe
data2.exe
datcheck.exe
datkiller.exe
dbole.exe
dcemgr.exe
dconfig.exe
dcv.exe
ddc152.exe
ddc153.exe
ddcg152.exe
ddcg153.exe
ddcw.exe
ddick.exe
dds152.exe
ddsetup.exe
ddsfind.exe
death.exe
debugg.dll
decode.exe
decryptor.exe
decryptuue.exe
deep throat mib.exe
deepbo.exe
defrags.exe
deltaserver.exe
derspaher.exe
desintall.exe
deskmanager.exe
desktop.exe
dfjcwd.exe
dgainaiai.exe
dhacker.exe
dialupsc.exe
diihost.exe
dilbertdance.jpg.exe
dinheiro.exe
direct.exe
directs.exe
directx.exe
dkbdll.exe
dkftp14c.exe
dkftp165cfg.exe
dkftpcfg.exe
dll.exe
dllclient.exe
dllfiles.exe
dllmgr.exe
dllrun.exe
dlls32.exe
dllx32.exe
dluca.exe
dm_mgr.exe
dnetc.exe
dnsmaster.exe
doly.exe
doly1.2.exe
doly135.exe
doly15.exe
doly16.exe
dolytrojan.exe
dos32.exe
dosrun32.exe
download_plugin.exe
dp.exe
drat setup util.exe
drat.exe
dratfile_gui.exe
dream.exe
drvctrl95.exe
drvddll.exe
drvsys.exe
ds3.exe
ds3english.exe
ds3german.exe
ds3-mini.exe
dtv3 client.exe
dtv3.1 client.exe
duncntrl.exe
dupview.exe
dvvjphay.exe
dwarf4you.exe
dxupdate.exe
dadruq.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
darkftp.exe
FTP server / IRC trojan
Kills the firewall atGuard. The hacker is able to restart or shut the server down through IRC.
darkftp1.0b.exe
FTP server / IRC trojan
Kills the firewall atGuard. The hacker is able to restart or shut the server down through IRC.
darkshadow.trojan.exe
Remote Access
The trojan is encrypted.
dat92003.exe
Remote Access / AOL trojan
data2.exe
Remote Access
Renamed and modified versions of Sub Serven.
datcheck.exe
Prank trojan
Whatever the victim writes, it will turn up as "I am a F__king gay"".
datkiller.exe
Destructive trojan
XalNaga modifies the registry to disable the Find, Run, and ShutDown options from the Start Menu. It also hides your desktop and inserts a message with the text "The human era has come to an end, the neew breed of humans will evolve right now!!! Behold and despair!!!".
dbole.exe
Trojan program:WebMoney Wmpatch.
Remove DBOLE.EXE, SICKBOY.EXE, SYSMAN32.EXE from startup and from your hard disk.
dcemgr.exe
Backdoor.Tumag allows unauthorized remote access to an infected computer. By default, the backdoor listens on TCP port 9010.
When Backdoor.Tumag is executed, it performs the following actions:
Copies itself as:
%System%\dcemgr.exe
%System%\dcemgr2.exe
Creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DCE
to keep track of the infection's progress.
Connects to dns2010.vicp.net or 218.242.161.151 on port 9002 to notify the author of the backdoor.
Opens a backdoor on TCP port 9010 and listens for commands from the attacker.
The backdoor can perform the following default actions:
- Update itself
- Take a screenshot
- Provide system information
- Create files
- Execute programs
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "DCE Manager"="%System%\dcemgr.exe"
dconfig.exe
Trojan Trojan.Clicker.NetBuie.b.
Kill it!
dcv.exe
Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.
ddc152.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddc153.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddcg152.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddcg153.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddcw.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddick.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
dds152.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddsetup.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
ddsfind.exe
Remote Access / Novell NetWare trojan
Donald Dick looks like Donald Duck as a fat and smoking decadent Soviet Spetsnaz soldier.
death.exe
Remote Access
debugg.dll
Trojan Haxdor.
Once launched, the program installs itself in the Windows system directory as
w32_ss.exe
It then installs the other program modules to the victim machine:
debugg.dll - main module
sdmapi.sys *
boot32.sys *
c3.dll *
c3.sys *
c4.sys *
The Trojan installs itself in the system registry.
In systems running Windows 9x:
[HKLM\System\CurrentControlSet\Control\MPRServices\TestService]
DllName="debugg.dll"
EntryPoint="MemManager"
StackSize=0
In systems running Windows NT/2000/XP:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\debugg]
DllName="debugg.dll"
Startup="MemManager"
Impersonate=1
Asynchronous=1
MaxWait=1
decode.exe
Steals passwords
It steals dailup passwords and hides them in Rasxnfo.dll, which is encrypted. It sends the file through a SMTP server to the following mail addresses: addr2@server.com , addr3@server.com, majlisb@yahoo.com.
decryptor.exe
Remote Access
decryptuue.exe
Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail
deep throat mib.exe
Remote Access / FTP server / Steals passwords
deepbo.exe
Remote Access
DeepBO is a modified client for Back Orifice. Spreads as one of two utilities: "Nonuke" and "ICQ Inhancer".
defrags.exe
Keylogger
Logs all keys typed on the server computer.
deltaserver.exe
Remote Access
derspaher.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
desintall.exe
Remote Access
Alters Win.ini and System.ini. A servereditor makes it possible for an intruder to change the port used and the UIN to notify upon a new succesful installation.
deskmanager.exe
Remote Access
desktop.exe
W32.Kobot.A is a worm that spreads through open network shares, telnet, dameware, realserv, VNC, and niprint.
This worm also uses three remotely exploitable Windows vulnerabilities to propagate.
Can also function as an email relay and as a proxy for HTTP and SOCKS.
Adds the some values to some registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings
Deletes the values: "avserve.exe"; "avserve2.exe"; "skynetave.exe"; "lsasss.exe"; "napatch.exe"; "Generic Host Service"
from the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Attempts to connect to one of the following IRC servers using TCP port 4467, and waits for a command from the author through the IRC channel:
kepler.afraid.org
knix.afraid.org
backbone.afraid.org
irc.knix.25u.com
Scans for network shares, FTP, telnet, vnc, dameware, realserv, and niprint services and attempts to connect and copy itself using weak user names and passwords.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "desktop"="%System%\desktop.exe"
dfjcwd.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
dgainaiai.exe
Works on Windows 95, 98 and ME.
dhacker.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
dialupsc.exe
Steals passwords
The stolen passwords are sent to several mail accounts at crosswinds.net, yahoo.com and bonbon.net
diihost.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
Free removal tool:
http://securityresponse.symantec.com/avc...
dilbertdance.jpg.exe
Worm / Mail trojan / Virus dropper / Network trojan
Alters Win.ini. The worm also spreads to shared discs in a local network. Every month the worm drops five viruses on different days: Bolzano, CIH_15, Links, Winsk and Bee_Aoc.
dinheiro.exe
Worm / Destructive trojan / Mail trojan / Network trojan
Alters Win.ini. Partial trojan, partial worm. Destroys files ending with .h, .c, .cpp, .asm, .doc, .ppt, or .xls. ExplorezipB is a compressed version of this worm. Can propagate through networks with shared disks.
direct.exe
I-Worm.Bagle.p spreads throughout the Internet via email and file-sharing networks.
The email does not contain the worm itself, but a script Trojan which downloads the worm from the Internet.
The worm is coded to infect executable files.
Also, it attempts to terminate antivirus programs and firewalls.
Once launched, the worm copies itself and its components to the Windows system directory under the names: directs.exe; directs.exeopen
and registers directs.exe in the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] direct.exe=%System%\direct.exe
The worm searches the system registry for keys installed by other worms (i.e.Netsky) and deletes them.
The worm searches disks for files with e-mail addresses and then sends messages to all addresses found in these files.
The worm uses its own SMTP server to send messages.
Please, remove it with RegRun.
directs.exe
It's result of the BEAGLE.O or BEAGLE.R or BEAGLE.S or BEAGLE.T Viruses.
W32.Beagle.T@mm is a variant of W32.Beagle.R@mm.
This worm attempts to send an HTML email with various characteristics to the addresses found in the files on an infected computer.
The email does not contain an attachment of the worm. Instead, the HTML email uses the Microsoft Internet Explorer Object Tag Vulnerability
that allows for the automatic download and execution of a file hosted on a remote Web site.
This file is a copy of the worm, but may change in the future.
The worm also opens a backdoor, starts a Web server on port 81 to serve the worm, and attempts to spread through file-sharing networks
by copying itself to folders with "shar" in their names. The worm is also a file infector that appends itself to the .exe files found on the computer.
It does the following:
If the system clock's year is 2006 or later, the worm will do the following:
Deletes the keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
if the value is present, so that W32.Beagle.T@mm does not restart when you start Windows.
Adds the value: "directs.exe"="%System%\directs.exe"
to the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
Creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n
Creates the following files: %System%\directs.exe (a copy of the worm)
%System%\directs.exeopen (a copy of the worm with some random data appended)
Terminates processes, which include antivirus software, processes associated with other worms, and system utilities.
Attempts to delete the some values from the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
For manual removal, please:
Navigate to the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Delete the key: Ru1n
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Delete the key: Ru1n
directx.exe
Added as a result of the BLAXE VIRUS!
W32.HLLW.Blaxe is a worm that attempts to copy itself through the Grokster, KaZaA, and iMesh file-sharing networks.
This virus is written in the Microsoft Visual Basic programming language and is compressed with UPX.
When W32.HLLW.Blaxe runs, it does the following:
1. Copies itself as:
%Windir%\WinBat.exe
%Windir%\DirectX.exe
%Temp%\Messenger Plus! - Setup.exe
C:\Windll32.dll
%Windir% = C:\Windows or C:\Winnt
%Temp% = C:\Windows\Temp
2. Adds the value:
"DirectX"="%Windir%\DirectX.exe" to the registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
3. Searches for the Winzip.exe and, if found, and then copies itself to the same location as WZExtract.exe.
4. Sets the value:
"[Default]"="
"
in the registry key:
HKEY_LOCAL_MACHINE\Software\CLASSES\WinZip\shell\open\command
5. Creates a hidden folder, %Windir%\Kernell, and then copies itself into this folder using random names from a list.
There is some examples:
Adobe Photoshop crack.exe
Adult(hardcore sex movie xxx)movie.exe
Age of Empires 2 crack.exe
anastasia anal.jpg.exe
AOL password stealer.exe
Christina Aguilera movie.exe
Crack XBOX live.exe
Fifa 2004 crack.exe
Hotmail account hacker in 30 minutes.exe
Lord of the rings VCD.exe
MSN banner remover.exe
Windows XP Home to Professional Upgrade.exe
ZoneAlarm Firewall Pro.exe
6. Adds the values:
"dir0"="012345:%Windir%\kernell"
"dir1"="012345:%Windir%\kernell"
"dir2"="012345:%Windir%\kernell"
to the registry keys:
HKEY_CURRENT_USER\Software\Grokster\LocalContent
HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent
HKEY_CURRENT_USER\Software\KaZaA\LocalContent
7. Searches for the .exe files on the A drive. If a floppy disk is loaded in the A drive, the worm may copy itself as A:\*.exe.exe.
8. Creates the file, C:\FTP.bat, and uses this batch file to connect to a predefined FTP server, and then download the file, Update.exe, to the root folder.
(Antivirus products detect the downloaded Update.exe as W32.Spybot.Worm.)
Removal instruction:
1. Disable System Restore (Windows Me/XP).
2. Run a full system scan with your antiviral program and delete all the files detected as W32.HLLW.Blaxe.
3. Delete the values that were added to the registry.
Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"DirectX"="%Windir%\DirectX.exe"
Then navigate to the key:
HKEY_LOCAL_MACHINE\Software\CLASSES\WinZip\shell\open\command
and modify the value to refer to the location of the Winzip32.exe file. (This is usually C:\Program Files\Winzip\Winzip32.exe.)
Navigate to each of the following keys:
HKEY_CURRENT_USER\Software\Grokster\LocalContent
HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent
HKEY_CURRENT_USER\Software\KaZaA\LocalContent
and delete the values:
"dir0"="012345:%Windir%\kernell"
"dir1"="012345:%Windir%\kernell"
"dir2"="012345:%Windir%\kernell"
dkbdll.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
dkftp14c.exe
FTP server / IRC trojan
Kills the firewall atGuard. The hacker is able to restart or shut the server down through IRC.
dkftp165cfg.exe
FTP server / IRC trojan
Kills the firewall atGuard. The hacker is able to restart or shut the server down through IRC
dkftpcfg.exe
FTP server / IRC trojan
Kills the firewall atGuard. The hacker is able to restart or shut the server down through IRC.
dll.exe
Steals passwords / Mail trojan
Can be configuered to register on several different places. Alters Win.ini and/or System.ini, or may be found in the Registry under HKEY_LOCAL_MACHINE\ and/or HKEY_CURRENT_USER.
dllclient.exe
Remote Access
dllfiles.exe
Remote Access / IRC trojan
dllmgr.exe
I-Worm.Borzella is a worm virus spreading via the Internet in an infected file attached to e-mails.
The infected messages have Subject/Body/Attachment names that are randomly selected from three variants each.
To send infected messages the worm uses a direct connection to the SMTP server. Worm opens and scans the Windows Address Book.
Displays different messages.
Manual removal:
Navigate to the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and delete the entry: Dll Manager = %WinDir%\dllmgr.exe
dllrun.exe
Remote Storm trojan
dlls32.exe
Remote Access
dllx32.exe
Backdoor.Nibu.H opens a backdoor Trojan horse on a compromised system.
It also runs a keylogger, periodically sending the stolen information to a predetermined email address.
Copies itself as these files:
%System%\dllx32.exe
%System%\dlla32.exe
%Startup%\dllw32.exe
Adds the value: "load32"="%System%\dllx32.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Modifies the value data of: Shell
in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
from: "explorer.exe" to: "explorer.exe %Windir%\system32\dlla32.exe"
Looks for windows that have certain strings in the title bar. These strings vary, but may include the following:
Bank; bank; bull; Bull; cash; ebay; e-metal; Fethard; fethard; gold; Keeper; localhost; mull; PayPal; Storm; WebMoney; Winamp; WM Keeper
Captures keystrokes that are typed into windows that contain the previously listed strings and stores them in a log file.
This file may be named %Windir%\1111k.log.
Launches a thread that monitors the Clipboard, saving to a log file any data that it finds.
The file may be named %Windir%\1111c.sys.
May steal passwords from the WebMoney and Far FTP accounts that are stored in the registry.
Periodically checks the size of the files that it uses for logging stolen information.
When the files are a certain size, the log files will be emailed to a hard-coded email address, along with System information such as the IP address and operating system.
Remove it witn RegRun.
dluca.exe
It's a result of the DLUCA.C VIRUS.
Downloader.Dluca.C is a variant of the Downloader.Dluca Trojan Horse that sends information about your computer to a specific Web site
and downloads files onto your computer.
When Downloader.Dluca.C is executed, it does the following:
Copies itself to the System directory.
%System%\msinstall\dlu32\dluca\dluca.exe
%System%\dluca-uninstall.exe
Adds the value:
"dluca" = "%System%\msinstall\dlu32\dluca\dluca.exe /noconnect"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Also, adds the subkeys and values to some other registry keys.
Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.
dm_mgr.exe
Added as a result of the JITTAR VIRUS.
Backdoor.Jittar is a Backdoor Trojan Horse that gives its creator remote access to and complete control over a compromised system.
By default it uses ports 1309 and 2699 to listen for commands from the Trojan's creator.
When Backdoor.Jittar does the following:
Copies itself as the following files, and then executes them:
%System%\Dm_mgr.exe
%System%\Linxup.exe
On Windows NT/2000/XP computers, it installs %System%\Dm_mgr.exe as a service with the following details:
Name: WMDM
Display name: WMDM Manager
Execute path: %System%\dm_mgr.exe
On Windows 95/98/Me computers, it adds the value:
"DM mgr"="%System%\dm_mgr.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
Manual removal:
In the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
delete the value:
"DM mgr"="%System%\dm_mgr.exe"
You may use RegRun Startup Optimizer to automatic remove it from startup.
dnetc.exe
Worm / Network trojan
It generates random IP numbers starting with 24, then try to map all drives on that number and spread to all open shares. Dnetc is a legitimite program that may have been installed previously. In this case itīs used illegally.
Read more:
http://www.securityportal.com/research/v...
dnsmaster.exe
Remote Access
doly.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
doly1.2.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
doly135.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
doly15.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
doly16.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
dolytrojan.exe
Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.
dos32.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
Free removal tool:
http://securityresponse.symantec.com/avc...
dosrun32.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
Free removal tool:
http://securityresponse.symantec.com/avc...
download_plugin.exe
Internet Explorer homepage hijacker.
Install latest patch for IE.
Remove it from startup.
dp.exe
Remote Access
drat setup util.exe
Remote Access
Anytime the user tries to load an .exe or a .bat file, Drat executes as well. Itīs the only known trojan depending on a Registry write to Hkey_Classes_Root only for itīs autoloading.
drat.exe
Remote Access
Anytime the user tries to load an .exe or a .bat file, Drat executes as well. Itīs the only known trojan depending on a Registry write to Hkey_Classes_Root only for itīs autoloading.
dratfile_gui.exe
Remote Access
Anytime the user tries to load an .exe or a .bat file, Drat executes as well. Itīs the only known trojan depending on a Registry write to Hkey_Classes_Root only for itīs autoloading.
dream.exe
AOL trojan
drvctrl95.exe
Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.
drvddll.exe
Bagle.z is an Internet worm spreading as an infected email attachment.
Infected message characteristics:
Sender address: random
Subject and attachment name are one from the predefined list.
Attachment characteristics:
.exe .com .scr and .cpl binary code file
.vbs script
.hta html-file
Message body:
There is a wide range of possible message texts.
The message may contain a VBS script; if this is launched by the user, it exploits a Microsoft Internet Explorer vulnerability (Microsoft Security Bulletin MS03-040) which makes it possible to download the executable worm file via the Internet from several dozen infected web sites.
It copies itself to the Windows system directory under the name "drvsys.exe",
and registers this file in the system registry autorun key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"drvddll.exe" = "%system%\drvddll.exe"
It seraches for and deletes some keys in the system registry related with Firewall or Antivirus programs.
The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.
The worm searches the computer for files with some extensions and sends itself to all email addresses found in these files.
It uses its own SMTP-server to send messages.
The worm searches the computer for folders where the name contains the word 'shar' and copies itself several times to each folder found, under the names of popular applications, such as ACDSee 9.exe, Adobe Photoshop 9 full.exe, Ahead Nero 7.exe etc.
The worm opens port 2535 and tracks port activity.
The backdoor function makes it possible to remotely execute commands and download files to the victim machine.
The worm attempts to combat antivirus programs and firewalls by terminating required memory processes.
Use RegRun Startup Optimizer to remove this worm from startup.
drvsys.exe
I-Worm.Bagle.y
This worm spreads via the Internet as an attachment to infected messages.
Characteristics of infected messages
Sender's address (chosen at random from the following):
Message header (chosen at random from the following):
Message body:
There is a wide range of possible message texts.
Attachment name:
Random, with one of the following extensions: .exe .com .scr .cpl. hta .vbs .zip
The worm searches the system register for keys created by other worms (e.g. Netsky) and deletes them.
The worm also attempts to connect to a range of remote sites, and to save information about the victim computer on these sites.
The worm searches the computer for files and sends itself to all email addresses found in these files.
It uses its own SMTP-server to send messages.
The worm attempts to combat antivirus programs and firewalls by terminating memory processes.
Manual removal:
Delete the value "drvsys.exe" = "%system%\drvsys.exe"
in the system registry autorun key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ds3.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
ds3english.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
ds3german.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
ds3-mini.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
dtv3 client.exe
Remote Access / FTP server / Steals passwords
dtv3.1 client.exe
Remote Access / FTP server / Steals passwords
duncntrl.exe
Remote Access
dupview.exe
Steals passwords
dvvjphay.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
dwarf4you.exe
Worm / Virus / Mail trojan
The worm patches Wsock32.dll. Hybris spreads to every address in Outlook. It always check the language version on the computer and is able to use messages in English, French, Spanish and Portuguese. When spread, the worm changes the name of the .exe file to another 8 characters. It exists at least 32 different plug-ins giving the worm various functions. The plug-ins are encrypted using an asymmetric 128-bit key algarythm and are downloaded från the newsgroup alt.comp.virus together with new encrypted instructions. One of the plug-ins makes Hybris to search for SubSeven infected computers on the Internet and infect them. The worm also probes into .zip and .rar archives, names .exe files to .ex$ and copies itself into the archive using the altered fileīs name.
dxupdate.exe
W32.Mafeg is a memory-resident, file-appending worm that attempts to spread itself through shared network resources.
When W32.Mafeg does the following:
Inserts the Dxupdate.exe file to the %System% folder.
Adds the value:
"Dxupdate.exe"="Dxupdate.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
If the system is Windows NT/2000/XP/Server 2003, it will attempt to infect the C:\NTLDR file.
Displays a message box in Chinese, if the year of the system date is greater than 2003 and the day of the week is Saturday.
Use RegRun Start Control to automatically remove it from Startup.
Copyright © 1998-2004 Greatis Software |
Privacy Policy
|
Recommend to a friend
