Home / malware TrojanDownloader:Win32/Hoicfh.A
First posted on 06 July 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Hoicfh.A is also known as Trojan.Win32.Jorik.Lethic.xt (Kaspersky), Trojan.Lethic!xpImVCVIQqc (VirusBuster), TR/Dldr.Hoicfh.A.2 (Avira), Trojan-Downloader.Win32.Hoicfh (Ikarus), TROJ_SPNR.11FF12 (Trend Micro).
Explanation :
TrojanDownloader:Win32/Hoicfh.A is a trojan that connects to a certain server and downloads other malware.
Installation
Upon execution, TrojanDownloader:Win32/Hoicfh.A creates a mutex named "jiefhhfufh8zhhs8hoihojhähähd2h080hch" to make sure that only one copy of itself is executing in memory.
It drops and runs a copy of itself as the following file:
%AppData%\csrssr.exe
Note that a legitimate Windows file named "csrss.exe" exists by default in the Windows system folder. It is common practice for malware authors to use file names similar to legitimate files in an attempt to mislead you.
TrojanDownloader:Win32/Hoicfh.A creates the following registry entries to make sure that it automatically runs \every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Hosting Service"
With data: "%AppData%\csrssr.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "Windows RPC Host Service"
With data: "%AppData%\csrssr.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Windows Live Messenger Update Service"
With data: "%AppData%\csrssr.exe"
It also creates the following registry entries as part of its installation process:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Windows (RPC) Remote Procedure Control Service"
With data: "%AppData%\csrssr.exe"
In subkey: HKLM\System\CurrentControlSet\Control\Lsa
Sets value: "Internet Explorer Update Service"
With data: "%AppData%\csrssr.exe"
Payload
Downloads other malware
TrojanDownloader:Win32/Hoicfh.A connects to the server, located in the IP address 193.107.19.89 using port 8888, to download other malware. As of this writing, the server is unavailable.
Analysis by Edgardo Diaz
Last update 06 July 2012