Home / malwarePDF  

Win32/Hioles


First posted on 13 March 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Hioles.

Explanation :

Win32/Hioles is a trojan that communicates with a command and control (C&C) server to retrieve and execute commands such as to install a reverse proxy and other actions.


Top

Win32/Hioles is a trojan that communicates with a command and control (C&C) server to retrieve and execute commands such as to install a reverse proxy and other actions.



Installation

Win32/Hioles is present as a file with either an .EXE file extension, or as a dynamic library with a .DLL file extension.

When installed as an .EXE file, the trojan may be present as one of the following files:

  • %TEMP%\kb<six numbers>.exe (for example, "kb291709.exe")
  • %AppData%\kb<six numbers>.exe (for example, "kb291709.exe")
  • %TEMP%\svchost.exe
  • %AppData%\svchost.exe


The registry is modified to run the trojan at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
To data: "<malware file name>"

When installed as a .DLL component, the trojan may be present as a randomly named file in one of the following file folders:

  • %windir%\System32\
  • %AppData%


An example file name is "UjharyAjsigc.dll" or similar. The registry is modified to run the DLL component at each Windows start. Below are example registry modifications made by the installation of the trojan:

In subkey: HKLM\System\CurrentControlSet\Control\SecurityProviders
Sets value: "SecurityProviders"
With data: "<other file names>, <trojan proxy DLL file name>"

For example:





In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Time"
With data: "rundll32.exe <trojan proxy DLL file name>, Entrypoint"

Win32/Hioles may inject its payload code into other processes, for example:

  • Task Manager (taskmgr.exe)
  • Windows Explorer (explorer.exe)
  • lsass.exe


Payload

Communicates with a remote server
The trojan attempts to register itself with a remote C&C server to establish communication and to receive instructional commands. Some observed server domains include the following:

  • gogogobaby12.com
  • govenmahen.com
  • grabsfakus.com


Win32/Hioles could be instructed to perform the following actions:

  • update the C&C server address
  • function as a reverse proxy to the C&C server by using one the following protocols
    • Socks4
    • Socks5
    • HTTP
    • HTTPS


The proxy service could be used for virtually any purpose such as the following:

  • register an account with an email provider such as "qip.ru"
  • browse websites
  • send spam email messages




Analysis by Shawn Wang

Last update 13 March 2012

 

TOP

Malware :