Home / malware Trojan-Downloader:W32/Hiloti
First posted on 16 August 2010.
Source: SecurityHomeAliases :
Trojan-Downloader:W32/Hiloti is also known as Trojan:Win32/Hiloti.gen!D (Microsoft).
Explanation :
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Additional DetailsTrojan-Downloader:W32/Hiloti identifies a family of programs that download and execute malicious files onto the affected system.
Variants in this family may also be identified as variants in the Trojan-Downloader:W32/Mufanom family.
The details below are for a representative variant in the Hiloti family.
Execution
The variant drops a file at %windir% as:
€ [random filename].dll
And loads it using rundll32.exe.
The malware then downloads a file from:
€ [removed].edvehal.com/GET /get2.php?
And saves it to the following location: %windir%\[random filename].dll
The malware then performs DNS Query using the infected system's information, for example:
€ 0000407015.742c6d13.01.[hash].n.empty.772.empty.5_1._t_i.ffffffff.explorer_exe.154.rc2.[removed]uploading.com
Registry Changes
During execution, the malware creates a registry key to create a launchpoint:
€ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[random value] = rundll32.exe "C:\WINDOWS\[random filename].dll",Startup
Then it creates random registry keys:
€ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename] € HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
[random value] = 154 € HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
[random value] = "" € HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
[random value] = ""
It also creates 8-character mutexes with random name, such as 4fef8c25, 1dfefa41, and ef485b09.Last update 16 August 2010
