Aliases: W32/Trinoo, Trinoo, TROJ_TRINOO
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: low
Geographical info: Asia, Europe and US
Removal: Moderate
Platform: W32
Discovered: 30 Dec 1999
Damage: Medium

Characteristics: The main component of the W32.DoS.Trinoo program is the actual component that performs the attack.

More details about W32.DoS.Trinoo

Normally, the master of the main component of the W32.DoS.Trinoo program is secretly installed on hacked computer, a Zombie or in the net. The master component of this Trojan has the ability to transmit number of UDP packages to a specific computer or its target. The unlucky target computer will then try to process and respond to the invalid UDP packets send by the Trojan using “ICMP unreachable” messages for each UDP packets. Because of the number of UDP packets requiring response, the computer system will then run out of network bandwidth which will then result to a denial of service. The W32.DoS.Trinoo program also has a client component to be used as a component that controls the master component. With the client component, hackers can attack and control different master components from a remote area. The master component receives command from the client component which was sent remotely.

The W32DoS.Trinoo is a compiled version of the Trinoo master component for Windows. The Trinoo master component can also be compiled for and under the UNIX platforms like Linux. When the W32.DoS.Trinoo program is executed in a system, it is duplicated in the windows\system directory as service.exe. While the Trojan is in this folder, it will be able to run itself whenever the computer restarted by modifying or altering the system registry setting. And Once the W32.DoSTrinoo program reaches the memory, it will listen to the commands like mdos, mping, dos, mtimer or msize from the Trinoo client program and do the linked tasks.