Doly Trojan (1.35)
Server name: Doly Trojan
Version: 1.35
Different versions:  [1.1][1.35][1.50][1.60][1.70][1.70 SE][2.0]
Tested: Yes, on Windows 95 and Windows NT
Server size: 184K
Server files: Mirabilis ICQ.exe
Server icon:

Infects: Windows 95/98/ME/NT/2000
Autoloads: Startup group
Default port: 1010 TCP
Can port be changed: No

Server Features

  • Change computer name
  • Change owner name
  • Change resolution to 640/480
  • Change the title color on open windows to a random color
  • Change volume to maximum or minimum
  • Close all windows
  • Close server
  • Disable double click
  • Disconnect server from internet
  • Display fatal error plus customizable message
  • Display FBI screen
  • Get ICQ UIN
  • Get passwords
  • Get user info
  • Hide/show mouse
  • Hide/show task bar
  • IRC notify
  • Key logger on/off
  • Move mouse
  • Open/close cd-rom
  • Open FTP server
  • Remove windows background
  • Run program (visible to user or hidden)
  • Send to URL
  • Set all window names to another name
  • Set systems color
  • Sleep
  • Show/stop error screen
  • Shutdown windows
  • Swap/unswap mouse buttons (Left button becomes right)
  • View running applications

 
Comments 
Doly Trojan 1.35, unlike the previous 1.1 version, comes with a 2.31 megabyte setup.exe file to infect your computer. The setup file installs a newer version of Memory manager then Doly 1.1, however, like Doly 1.1 the setup file also installs a trojan. Like version 1.1, Doly Trojan 1.35 has a format hard drive feature. It can also upload files and then run them, thus allowing other trojan infections. Doly 1.35 adds a IRC or (DolyIRC as the programmers cleverly (?) call it), which lets servers advertise infected server information to a pre defined IRC channel. The IRC notify feature allows anyone with a doly client to sit in the IRC channel and wait for servers to broadcast their information and then connect to the infected computer. 

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Close Mirabilis ICQ.exe in the windows start up directory (Usually c:\windows\start menu\programs\startup\). If this file can not be removed from the memory then reboot into DOS mode and delete the trojan file in step 2 in DOS. 
  2. Delete the trojan file Mirabilis ICQ.exe in the windows start up directory (Usually c:\windows\start menu\programs\startup\).

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.