x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Doly

 
Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Doly
Technical name:Bck/Doly.17
Threat level:Low
Type:Trojan
Effects:   It allows to get into the affected computer. It does not spread automatically using its own means.
Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:
Detection updated on:Dec. 2, 2005
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    

Backdoor/Doly.17 is a backdoor Trojan that consists of two parts. On the one hand the server and runs automatically on the affected system. It opens a communications port on which it remains in preparation to receive service requests coming from the client (installed on the attacking computer). On the other hand, the client consists of a graphics interface that enables malicious users to perform a number of actions on the affected system.

One of the symptoms of the presence of the Trojan on the system is the opening of the 1016 TCP communications port. On the other hand, a file with LON extension can be found in the hard disk root directory.

The server enables malicious users to carry out a number of actions on the affected system. When the server is executed, users must enter the Nickname (access identifier) of the affected system. Once this action is carried out, it establishes a connection with the client, thereby enabling malicious users to perform a number of actions on the affected system: it restarts Windows, captures screenshots, opens a chat session with the computer under attack, interrupts the Internet connection, performs keylogging actions, obtains confidential user information, formats the hard disk, disables the mouse double click feature, opens and closes the CD-ROM tray, modifies the screen resolution, runs programs in the background, disables the Find and Execute options, hides the icons on the Windows desktop, moves the mouse pointer at random.,..etc.

Visible Symptoms 

    

This Trojan carries out its actions through a client-server connection. To establish this connection, the client sends service requests to the server through a communications port. Once the connection is established, the client sends requests to the server. Then, the server will be in charge of carrying out all the service requests coming from the client.

Attacking users must have the client installed on their systems. The client is a graphics interface that allows malicious users to carry out a large number of actions on the affected system. To do this, users will have to enter the Nickname (access identifier), which is needed to establish a connection with the affected system, as can be seen in the image shown below.



Once the nickname has been entered, the interface of the client is displayed, which allows users to carry out a number of actions on the affected system. The client looks as follows:



It is interesting to note that the client looks very much like the Windows desktop. This window enables users to access different menus, as well as to access other versions of the Trojan.

The Trojan contains an IP analyzer, which enables malicious users to find victim systems where the server is installed. It automatically attempts to find IP addresses of the affected systems:

  • Admin section: It allows hackers to perform a number of actions on the system: it restarts Windows, captures screenshots, opens a chat session with the infected system, interrupts the Internet connection, performs keylogging actions, opens an FTP connection, obtains confidential user information, creates its own script code (VBS - Visual Basic Script), which will be stored in the hard disk root directory with a name previously specified and it adds ICQ notifying messages. However, the most dangerous and destroying function is its ability to format the hard disk of the computer under attack.

  • Fun Shit section: These actions are not dangerous but they can get to be very annoying. Some of them include disabling the mouse double click feature, reversing the mouse buttons, displaying error messages on the screen, opening and closing the CD-ROM tray, hiding the task bar, changing the colors of the title bars,...etc.

  • Misc Shit section: This section allows users to open the Internet browser at a pre-established URL, view the history of the last websites visited on the affected system, change the name assigned to the computer and run programs in the background.

  • Windows Shit section: This section allows users to disable the Find and Run options in the Windows Start menu, move the mouse pointer about the screen, delete, displays and modify the Clipboard of the client...etc.

  • Message Manager section: This section is in charge of managing all the actions related to the message boxes displayed by the Trojan.

  • File Manager section: It allows users to carry out a number of actions with the files on the affected system.

  • User Info section: It allows hackers to obtain confidential user information and to store this information in a file.

Besides all of these actions, it contains an About option, which users can use to carry out a great number of actions on the affected system. This options looks as follows: