DONBOT

DONBOT, also known as BUZUS or BACHSOY is a botnet notorious for spamming emails. It also spammed shortened URLs via instant messaging applications such as Yahoo Messenger and MSN to spread malicious files. DONBOT variants typically arrive on systems as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

When executed, DONBOT can be used as a proxy server thus compromising the security of the infected systems. It can also take control of the systems once it connects to its C&C server.

Installation

This Trojan drops the following component file(s):

• %System%\msvcrt2.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

• %System%\sysmgr.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft(R) System Manager = "%System%\sysmgr.exe"

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
TcpTimedWaitDelay = "0x1E"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
MaxUserPort = "0x8000"

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}.{BLOCKED}.66.38