DonaldD.Trojan is something similar to BackOrifice.Trojan. When installed on a Microsoft Windows system, this backdoor trojan horse program allows others to gain full access to the system through a network connection. It consists of two pieces: a server and a client application. Both applications are capable of running under Windows 95, 98, and NT 4.0.

The port number through which the client controls the server is configurable. However, as long as the port is blocked by a firewall, this trojan horse will not be able to infiltrate the server. It does not matter whether the TCP or SPX protocol is implemented. There have not been any reports of this program being able to break through a firewall.

Server application may be configured with different options.

The networking protocol may be TCP or SPX. Any port number between 1 and 65535 may be selected for communication. The default port number for TCP is 23476, and an additional default port is 23477. For SPX, it is 0x9014 and an additional default port is 0x9015.

A password may be specified to limit the access on a server. However, there is a bug with version 1.52 of the trojan. In the client GUI, the password typed in is initially hashed using MD5 and is converted to a 32-byte string which is the hex representation. Then the result is sent to the server. For the command-line version of the client, the password is sent without using any type of encryption. Thus, if a user sets the password of the server using the command-line client, he cannot re-access it by using the GUI client with the same password.

Here are some of the bugs found in version 1.52 of this trojan. When the client attempts to play a WAV file to the server, and the client does not specify a filename in this field, the client program will crash. The same situation occurs when the client user forgets to specify the pathname for the server upgrade command.

Commands the program may send to the server program:

Create and delete directories
Copy, delete, rename, upload and download files
View, terminate, set priorities for processes
Suspend and resume threads
Execute programs
Create and delete registry keys
Set registry values
Modify system date and time
Perform a shutdown, log-off, restart, and power-off
Obtain a list of windows opened
Get a snapshot of the whole screen or just for a specific window
Send messages to a specific window
Modify CMOS (however, this only works in Windows 95/98 for now)
Look at the contents of the buffer where the keyboard input is stored
Re-map and disable keys off the keyboard
Simulate certain keystrokes (only works in Windows 95/98)
Open and close the CD-ROM tray
Turn the monitor on and off
Send message boxes with a few sets of buttons to choose from
Play wave (WAV) files
Chat with other people
Obtain CMOS and screensaver passwords
Query a list of shared resources

TIPS
Reboot the machine to a clean DOS boot or Windows Startup floppy disk.
Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed.
Delete the file an antivirus product detected as the DonaldD.Trojan. Remove the floppy disk and restart the system.
Edit the Windows registry using REGEDIT.EXE. Go to the following registry key:

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\
Services\VxD\

Delete the folder named VMLDR.

Go to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\
Session Manager

On the right-side of the window, look for the registry with BootExecute inside its Name field. Right-click on BootExecute, select Modify. Here, you will see some hexadecimal numbers and some ASCII text beside them. Look for bootexec.
To its left where all the hexadecimal numbers are, you'll see the following numbers: 00 62 6F 6F 74 65 78 65 63.
Highlight these numbers, and press the backspace key to erase them. Make sure that you erase NO MORE or NO LESS of these numbers.
Click Ok.
Scroll down the window, and you will find two registry keys with Pdata0 and Pdata1 as their name fields.
They are just next to each other. Right-click on each of them,then select Delete.
This should delete the registry keys from all ControlSet registry keys (i.e., ControlSet01, ControlSet02, etc.).
Then, restart the system. Once Windows has started, go into the Command Prompt in the Start/Programs... menu, and delete the file an antivirus product detected as the DonaldD.Trojan.
Check the registry again to make sure the trojan did not reinstall itself.

Windows 9x Systems without an antivirus product Installed

If you do not have an antivirus product that detects this trojan, you must do the following.
Reboot the system to a clean DOS boot or Windows Startup floppy disk. Go to the \WINDOWS\SYSTEM directory on the drive where Windows is installed.
Delete the following files:
PNPMGR.PCI,
OLEPROC.EXE,
VMLDR.VXD.

Remove the floppy disk and restart the system.
Go to the following Windows registry key:

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\VxD\

Delete the folder named VMLDR.

Restart the machine again, look at the registry, and make sure that the trojan did not re-install itself.