Home / malware Trojan:Win32/Hiloti
First posted on 10 September 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Hiloti is also known as Trojan.Zefarch (Symantec).
Explanation :
Trojan:Win32/Hiloti is a generic detection for a trojan that interferes with an affected user's browsing habits and downloads and executes arbitrary files.
Top
Trojan:Win32/Hiloti is a generic detection for a trojan that interferes with an affected user's browsing habits and downloads and executes arbitrary files.
Installation
When executed the malware copies itself to the Windows directory with a randomly generated file name (for example %windir%\svdetrxt.dll). It modifies this file so that it is treated as a DLL. The trojan creates a randomly named registry entry in which it stores configuration information, for example HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Qwevonibumer The trojan uses windows hooks to load itself into running processes. In particular, it targets the following two processes in this manner:explorer.exe iexplore.exe
Payload
Allows backdoor access and control When executed the malware connects to a remote host to download configuration data, which may contain instructions to perform any of the following actions:Download and execute arbitrary files Display popups Modify the content of HTML pages viewed by the user Insert scripts in to HTML pages viewed by the user Monitors affected user's browsing habits The trojan monitors URLs browsed by the user and sends related information to a remote host. Captured data includes, but is not limited to, search-related information. It does this by searching for substrings in the URL, for example, it may look for the following strings: .bing.com .live. .msn. .google. .search123. .teoma. .wanadoo. 250000.co.uk alexa. alltheweb.com altavista. aol. asiaco. bbc. Terminates processes The trojan checks if it is loaded in the following process, and if it is not, terminates the process: MRT.exe This process may belong to the Microsoft Malicious Software Removal Tool (MSRT).
Analysis by Scott MolenkampLast update 10 September 2010