Doly Trojan (1.1)
Server name: Doly Trojan
Version: 1.1
Different versions:  [1.1][1.35][1.50][1.60][1.70][1.70 SE][2.0]
Tested: Yes, on Windows 95 and Windows NT
Server size: 165K
Server files: Mstesk.exe
Server icon:

Infects: Windows 95/98/ME/NT/2000
Autoloads: Registry, startup group, win.ini
Default port: 1011 TCP
Can port be changed: No

Server Features

  • Change computer name
  • Change owner name
  • Change resolution to 640/480
  • Change the title color on open windows to a random color
  • Change volume to maximum or minimum
  • Close all windows
  • Close server
  • Disconnect server from internet
  • Display fatal error plus customizable message
  • Display FBI screen
  • Hide/show mouse
  • Hide/show task bar
  • Move mouse
  • Open/close cd-rom
  • Open FTP server
  • Remove windows background
  • Run program (visible to user or hidden)
  • Send to URL
  • Set all window names to another name
  • Set systems color
  • Sleep
  • Swap/unswap mouse buttons (Left button becomes right)
  • View running applications

 
Comments 
Doly Trojan 1.1 came with a 1.75 megabyte setup.exe file to infect your computer. The setup file installs a Memory manager file but also installs the trojan. However because of the large setup file and the existence of newer versions, this older trojan is rare. Features include a format option, which may or may not work. The server can upload files and then run them, which thereby allows other trojans to be installed. 

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Remove the Ms tesk keys in the registry located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Which can be done with regedit or any other registry editing program.
  2. Open the win.ini(Usually c:\windows\system.ini) and remove the key: load=c:\windows\system\tesk.exe under [windows]. This can be done with any text editing program.
  3. If the computer has not been rebooted since the setup file was ran then do the following: Remove: copy c:\sys.lon c:\windows\start menu\programs\startup\MStesk.exe from the winstart.bat. Then remove: @echo off copy c:\sys.lon cL\windows\startM~1\programs\startup\mdm.exe in the autoexec.bat. Both the winstart.bat and autoexect.bat can be edited with notepad. Then delete c:\win.reg and c:\sys.lon if they exist.
  4. Reboot the computer or close tesk.exe in the windows system directory. Also close or reboot MStesk.exe in the windows start up directory (Usually c:\windows\start menu\programs\startup\) and in the program files directory (Usually c:\program files\)
  5. Delete the trojan file tesk.exe in the windows system directory and MStesk.exein the windows start up directory (Usually c:\windows\start menu\programs\startup\) and in the program files directory (Usually c:\program files\). If any of the files can not be deleted or closed then reboot the computer into DOS mode and delete them there. 

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.