Doly Trojan (2.0)
Server name: Doly Trojan
Version: 2.0
Different versions:  [1.1][1.35][1.50][1.60][1.70][1.70 SE][2.0]
Tested: Yes, on Windows 95 and Windows NT
Server size: 104K
Server files: mdm.exe
Server icon:

Infects: Windows 95/98/ME
Autoloads: No
Default port: 3456 TCP
Can port be changed: no

Server Features

  • Change computer name
  • Change owner name
  • Change resolution to 640/480
  • Change the title color on open windows to a random color
  • Change volume to maximum or minimum
  • Close all windows
  • Close server
  • Chat with server
  • Computer run time
  • Disable double click
  • Disconnect server from internet
  • Display fatal error plus customizable message
  • Display FBI screen
  • File manager
  • Get ICQ password
  • Get ICQ UIN
  • Get passwords
  • Get user info
  • Hide/show all drives
  • Hide/show find dialog (Start menu..find)
  • Hide/show mouse
  • Hide/show run dialog (Start menu..run)
  • Hide/show task bar
  • ICQ notify
  • IRC notify
  • Key logger on/off
  • Move mouse
  • Open/close cd-rom
  • Open FTP server
  • Password protect server (password deleted if server not connected to within 4 days)
  • Remove windows background
  • Run program (visible to user or hidden)
  • Screen capture
  • Send key or string
  • Send to URL
  • Set all window names to another name
  • Set systems color
  • Shell spy
  • Sleep
  • Show/stop error screen
  • Shutdown windows
  • Start/stop crazy mouse
  • Swap/unswap mouse buttons (Left button becomes right)
  • View running applications
  • View, clear or change clipboard text

 
Comments 
The Doly Trojan 2.0 has been released as a beta and appears to be the last Doly Trojan. This version came with a brand new client and a server that was reduced to only 104 kilobytes. Doly Trojan 2.0 does not infect computers. The programmers suggested merging it with other files. Also the screen capture feature needs an extra DLL file to work, which needs to uploaded by the person using the server. The lack of infection capabilities and non-working features mean version 1.70 SE is probably encountered more often then this version. 

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Remove the Ms tesk keys in the registry located at HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run. Then delete Enable, parameters, path and startup keys in the registry located at HKEY_USERS\.Default\Software\Mirabilis\ICQ\Agent\Apps\Ava. Which can be done with regedit or any other registry editing program.
  2. Reboot the computer or close mdm.exe in the program files directory (Usually c:\program files\) and in the windows start up directory (Usually c:\windows\start menu\programs\startup\). Also reboot or close Kernal32.exe in the windows system directory. 
  3. Delete the trojan file Kernal32.exe in the windows system directory. Also delete mdm.exe in the windows start up directory (Usually c:\windows\start menu\programs\startup\) and in the program files directory (Usually c:\program files\). If any of the files can not be deleted or closed then reboot the computer into DOS mode and delete them there. 

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.