Home / malware Trojan:Win32/Hiloti.gen!A
First posted on 16 April 2009.
Source: SecurityHomeAliases :
Trojan:Win32/Hiloti.gen!A is also known as Also Known As:Troj/Virtum-Gen (Sophos), Win32/Vundo.CGP (CA), Vundo (McAfee), :Trj/Downloader.MDW (Panda), Trojan.Vundo (Symantec).
Explanation :
Trojan:Win32/Hiloti.gen!A is the generic detection for a family of trojans related to the Trojan:Win32/Vundo family but with less obfuscation. It may download potentially malicious files from a remote server and report system information back to the server.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Trojan:Win32/Hiloti.gen!A is the generic detection for a family of trojans related to the Trojan:Win32/Vundo family but with less obfuscation. It may download potentially malicious files from a remote server and report system information back to the server.
Installation
Upon execution, Win32/Hiloti.gen!A copies itself in the Windows folder as a DLL file with a random name, for example:
%windir%wrifocemuvap.dll It then modifies the system registry so that its copy runs every time Windows starts: Adds value: "<random string>"
With data: "rundll32.exe %windir%<malware file name>,e"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun For example: Adds value: "Pwulinubesida"
With data: "rundll32.exe %Windir%Plakafaripecil.dll,e"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun It also creates the following registry modification as part of its malicious routine: Adds value: "<entry ID>"
With data: "<number>"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersion<string> where <entry ID> and <string> are random strings generated by this trojan based on information from the local machine. For example: Adds value: "Sheqid"
With data: "54"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionPhuxobab It creates a mutex to ensure that only one copy of itself is running at startup. The mutex name varies, for example:6d5ac198 71981d42
Payload
Connects to a Remote ServerWin32/Hiloti.gen!A may connect to the following server, possibly to download files or to report system information:zfsearch.com liftupgate.com The downloaded files may be detected as other malware.
Analysis by Patrik VicolLast update 16 April 2009
