is a trojan that installs a proxy, detected as TrojanProxy:Win32/Hioles.C, to intercept communication from an affected computer with web email services provided by Hotmail, Yahoo! and Gmail.
When run, and depending on the user level access, the trojan will drop a randomly named trojan proxy DLL component in one of the following file folders:
An example file name is "UjharyAjsigc.dll" or similar. The registry is modified to run the DLL component at each Windows start. Below are example registry modifications made by the installation of the trojan:
In subkey: HKLM\System\CurrentControlSet\Control\SecurityProviders
Sets value: "SecurityProviders"
With data: "<other file names>, <trojan proxy DLL file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Time"
With data: "rundll32.exe <trojan proxy DLL file name>, Entrypoint"
The dropped proxy is injected into one of the following processes before performing its payload:
Task Manager (taskmgr.exe)
Intercepts communication with web-based email services
The trojan and is used by the attacker to intercept communications with the following websites which offer web-based email:
Analysis by Daniel Radu
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.