Trojan.Danmec

This is a quick analysis of a trojan which was passed around last week (early December 2005). I decided to have a quick look at it for fun, and it turned out to have a nice easy decryption loop. The trojan appears to have no readable strings except for some boring stuff and a reference to IISload.dll. However, a few seconds after loading it in IDA Pro, I could see strings which were encrypted. Simply click on one to find the block of code referencing it.

Image 1 shows the encrypted string found. I have highlighted the important value used. The trojan decrypts the string by a simple XOR with the value in register bl - 1Bh (1B = 27 in decimal).

Image 2 shows the encrypted string in the file, the file was only small and very easy to find. This could have been found in other ways or even decrypted in IDA with a simple script.

Image 3 shows the decryption. This hex editor has a nice option, all I had to do was choose XOR and enter 1B hex to be XOR'ed :

Here we see where the name comes from, dnamec and dnameo are used as names for something. Analysts would have quickly decided to use dnamec or DANMEC for a suitable trojan name. Classification is more important than the actual name given, despite the benefits universal virus naming would give.

Related: AV-Test.org have a virus name comparison list available. Visit them here.