Home / malwarePDF  

TrojanDownloader:Win32/Hoicfh.A


First posted on 06 July 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Hoicfh.A is also known as Trojan.Win32.Jorik.Lethic.xt (Kaspersky), Trojan.Lethic!xpImVCVIQqc (VirusBuster), TR/Dldr.Hoicfh.A.2 (Avira), Trojan-Downloader.Win32.Hoicfh (Ikarus), TROJ_SPNR.11FF12 (Trend Micro).

Explanation :



TrojanDownloader:Win32/Hoicfh.A is a trojan that connects to a certain server and downloads other malware.



Installation

Upon execution, TrojanDownloader:Win32/Hoicfh.A creates a mutex named "jiefhhfufh8zhhs8hoihojhähähd2h080hch" to make sure that only one copy of itself is executing in memory.

It drops and runs a copy of itself as the following file:

%AppData%\csrssr.exe

Note that a legitimate Windows file named "csrss.exe" exists by default in the Windows system folder. It is common practice for malware authors to use file names similar to legitimate files in an attempt to mislead you.

TrojanDownloader:Win32/Hoicfh.A creates the following registry entries to make sure that it automatically runs \every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Hosting Service"
With data: "%AppData%\csrssr.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "Windows RPC Host Service"
With data: "%AppData%\csrssr.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Windows Live Messenger Update Service"
With data: "%AppData%\csrssr.exe"

It also creates the following registry entries as part of its installation process:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Windows (RPC) Remote Procedure Control Service"
With data: "%AppData%\csrssr.exe"

In subkey: HKLM\System\CurrentControlSet\Control\Lsa
Sets value: "Internet Explorer Update Service"
With data: "%AppData%\csrssr.exe"



Payload

Downloads other malware

TrojanDownloader:Win32/Hoicfh.A connects to the server, located in the IP address 193.107.19.89 using port 8888, to download other malware. As of this writing, the server is unavailable.



Analysis by Edgardo Diaz

Last update 06 July 2012

 

TOP