Home / malware Trojan:Win32/Hioles.C
First posted on 02 March 2012.
Source: MicrosoftAliases :
Trojan:Win32/Hioles.C is also known as Win32/TrojanProxy.Holes.AA (ESET), Mal/Bredo-RH (Sophos).
Explanation :
Trojan:Win32/Hioles.C is a trojan that installs a proxy, detected as TrojanProxy:Win32/Hioles.C, to intercept communication from an affected computer with web email services provided by Hotmail, Yahoo! and Gmail.
Top
Trojan:Win32/Hioles.C is a trojan that installs a proxy, detected as TrojanProxy:Win32/Hioles.C, to intercept communication from an affected computer with web email services provided by Hotmail, Yahoo! and Gmail.
Installation
When run, and depending on the user level access, the trojan will drop a randomly named trojan proxy DLL component in one of the following file folders:
- %windir%\System32\
- %AppData%
An example file name is "UjharyAjsigc.dll" or similar. The registry is modified to run the DLL component at each Windows start. Below are example registry modifications made by the installation of the trojan:
In subkey: HKLM\System\CurrentControlSet\Control\SecurityProviders
Sets value: "SecurityProviders"
With data: "<other file names>, <trojan proxy DLL file name>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Time"
With data: "rundll32.exe <trojan proxy DLL file name>, Entrypoint"
The dropped proxy is injected into one of the following processes before performing its payload:
- Task Manager (taskmgr.exe)
- Windows Explorer (explorer.exe)
Payload
Intercepts communication with web-based email services
The trojan and is used by the attacker to intercept communications with the following websites which offer web-based email:
- hotmail.com
- gmail.com
- yahoo.com
Analysis by Daniel Radu
Last update 02 March 2012
