Doly Trojan

Name: Doly Trojan
Aliases: Backdoor.AZ, Backdoor.Doly,
Ports: 21, 1010, 1011, 1012, 1015, 1016, 2345
Files: Doly1.1.zip - Doly1.2.zip - 3,977,753 bytes Doly135.zip - 5,942,944 bytes Doly15.zip - 4,348,735 bytes Doly16.zip - 2,627,852 bytes Doly_Trojan_v17.zip - 842,982 bytes Doly17_Server.zip - 172,912 bytes Doly2.0.zip - Send_to_victim.zip - 2,386,049 bytes Send_to_victim2.zip - 2,392,257 bytes Send_to_victim3.zip - 2,361,750 bytes Doly_Client[SE].zip - 844,595 bytes Doly_Server[SE].zip - 186,105 bytes Dolytrojan.exe - 251,904 bytes Doly.exe - Doly1.2.exe - 2,004,818 bytes Doly135.exe - 2,813071 bytes Doly15.exe - 1,990,448 bytes Doly16.exe - 1,463,805 bytes Setup.exe - 2,049,807 bytes Ssetup.exe - 1,271,877 bytes Ssetup.exe - 2,454,690 bytes Ssetup.exe - 3,226,540 bytes Ddoly121.zip - 406 bytes Dhacker.exe - 45,056 bytes Download.exe - 2,429,558 bytes Interactive.exe - 2,398,769 bytes Setup.exe - 436,227 bytes Setup.exe - 2,423,695 bytes Ndc.exe - 204,800 bytes Nds.exe - 106,496 bytes Mdm.exe - Tesk.exe - 169,472 bytes Tesk.sys - Mstesk.exe - Kernal32.exe - Iecookie.exe - Sys.exe - Sys.lon - Send_to_victim.zip - 2,386,029 bytes Send_to_victim2.zip - 2,392,257 bytes Send_to_victim3.zip - 2,361,750 bytes Vbrun60.exe - [1 Mb]
Created: April 1999
Requires: Vbrun60.exe - is required to run Dhacker.exe. An extra .dll file is needed to run the screen capture feature on version 2.0.
Actions: Remote Access / Keylogger / IRC trojan
Registers: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_USER\.Default\Software\Marabilis\ICQ\Agent\Apps\
Notes: Works on Windows 95, 98 and NT. Please note that not all versions work on NT. Dhacker.exe is a Doly 1.6 password cracker and Vbrun60.exe is only needed if you want to run it (written in Visual Basic 6). Master Password for versions 1.6 and 1.7 =
Country: written in Israel
Program: Written in Visual Basic 6.0.
© Copyright von Braun Consultants. This information may include technical inaccuracies or typographical errors. If you have any questions or further information about the actual trojan above, please contact Joakim von Braun at <joakim.von.braun@risab.se>