Home / malware TrojanDropper:Win32/Heloag.A
First posted on 28 April 2010.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Heloag.A is also known as Win32/Triega.VE (CA), Trojan-Dropper.Win32.Agent.bena (Kaspersky), Downloader-CAK (McAfee), Trojan.DL.Win32.Undef.qov (Rising AV), TROJ_HELOAG.SMA (Trend Micro), Trojan.DR.Heloag.T (VirusBuster).
Explanation :
TrojanDropper:Win32/Heloag.A is a trojan that drops and installs Backdoor:Win32/Heloag.A and notifies a remote server of the installation. Backdoor:Win32/Heloag.A is a trojan that allows unauthorized access and control of an affected computer.
Top
TrojanDropper:Win32/Heloag.A is a trojan that drops and installs Backdoor:Win32/Heloag.A and notifies a remote server of the installation. Backdoor:Win32/Heloag.A is a trojan that allows unauthorized access and control of an affected computer. InstallationWhen executed, TrojanDropper:Win32/Heloag.A checks for the presence of the following processes: apvxdWin.exe
twister.exe
TMAS_OEMon.exe
ufseagnt.exe
tmproxy.exe
tmpfw.exe
tmbmsrv.exe
sfctlcom.exe
avgnsx.exe
AVWEBGRD.exe
avp.exe
KVPreScan.exe
vsserv.exe
ccSvcHst.exe
spideragent.exe
spidergate.exe
spiderml.exe
spiderui.exe
spidernt.exe
dwengine.exe
mpsvc2.exe
mpsvc1.exe
mpsvc.exe
mpmon.exe
scanfrm.exe
rstray.exe
rsnetsvr.exe
RavMoD.exe If any of the above listed processes are found, the trojan deletes itself and quits. Otherwise, it drops a copy of Backdoor:Win32/Heloag.A as the following hidden file: %windir%\conme.exe The registry is modified to run the dropped backdoor trojan at each Windows start. Sets value: "Shell"
From data: "Explorer.exe"To data: "Explorer.exe %windows%\conme.exe asds"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Payload Communicates with a remote serverTrojanDropper:win32/Heloag.A attempts to post the MAC address information of the affected machine to a remote server for the purpose of reporting the trojan installation. In the wild, this trojan has been observed to contact the following domain for this purpose: www.vip900.cn Additional InformationFor more information about Backdoor:Wn32/Heloag.A, see the description elsewhere in the encyclopedia.
Analysis by Chun FengLast update 28 April 2010
