Home / malware

PDF

Trojan:Win32/Hiloti.gen!E

First posted on 02 September 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Hiloti.gen!E is also known as W32/Hiloti.I.gen!Eldorado (Authentium (Comma, Gen:Variant.Hiloti.1 (BitDefender), Trojan-Downloader.Win32.Mufanom (Ikarus), Hiloti.gen.e (McAfee), Mal/Hiloti-D (Sophos), Trojan.Win32.Hiloti.gen.f (Sunbelt Software), Cryp_Hiloti (Trend Micro), Trojan.Hiloti.Gen!Pac (VirusBuster).

Explanation :

Trojan:Win32/Hiloti.gen!E is a generic detection for a trojan that may download and execute arbitrary files or communicate with a remote server.
Top

Trojan:Win32/Hiloti.gen!E is a generic detection for a trojan that may download and execute arbitrary files or communicate with a remote server. InstallationTrojan:Win32/Hiloti.gen!E may be installed by other malware or when browsing a malicious web page. When run, the malware copies itself to the Windows directory with a randomly generated file name (for example "%windir%\svdetrxt.dll"). It modifies this file so that it is treated as a DLL. The trojan creates a randomly named registry entry in which it stores configuration information, for example: In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PjabinosobuzitoSets value: "Bcupoyoxaj"To data: "346em9>;v*r",+**...`j.o.........@" Sets value: "Uheqe"To data: "c8xqadhagah}zol.p.@jd*" The trojan uses Windows hooks to load itself into running processes. In particular, it targets the following two processes in this manner:

explorer.exe - Windows Explorer

iexplore.exe - Internet Explorer

Payload Downloads arbitrary filesTrojan:Win32/Hiloti.gen!E attempts to connect with remote servers such as the following to download other malware:
232807da0402.lantzel.com
rc2.a4h9uploading.com Communicates with remote serversThe trojan sends data to remote servers to notify an attacker of the trojan installation. Below are example data strings sent by the trojan: <remote server>/get2.php?c=MDWHAYLA&d=26606B67393D3E302E64636F317E3E3D2121222427253078747D456E757923261044414710131F015D404E1615686B1C0304700A0774730E0C080E797E7C7A0E7075010206707172710D087C6A2F27212634206E65606F7130303E666C68693D595152534204020A55584C041F1B0B1D4D442D42522A021413444A4B4C4D4C4CB5B4B1B2A2F5F4E8EBB4CFF3FCE1E1FDF5E3BCD6CCD0B0FBFCA8C5FEA1ACB8FCCCCFD6FCC1989681DF9F9E969C8BC8928197C08E8593D5D9DCD5879DD5D9DFCBA5FCF3F1FCF5F3F4FCFDFAFAEA88819D The string changes among samples of the trojan. In the wild, this trojan was observed to contact the following servers: 192807da0427.gerborn.com
232807da040b.gerborn.com 232807da0414.husseta.com
222807da0435.giselin.com
222807da042e.aglardgr.com
222807da042f.deanard.com
232807da040d.leyeshv.com

Analysis by Tim Liu

Last update 02 September 2010

 

TOP