Follow:

 

Trojan:Win32/Hioles.C


Trojan:Win32/Hioles.C is a trojan that installs a proxy, detected as TrojanProxy:Win32/Hioles.C, to intercept communication from an affected computer with web email services provided by Hotmail, Yahoo! and Gmail.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

Trojan:Win32/Hioles.C is a trojan that installs a proxy, detected as TrojanProxy:Win32/Hioles.C, to intercept communication from an affected computer with web email services provided by Hotmail, Yahoo! and Gmail.

Installation

When run, and depending on the user level access, the trojan will drop a randomly named trojan proxy DLL component in one of the following file folders:

  • %windir%\System32\
  • %AppData%

An example file name is "UjharyAjsigc.dll" or similar. The registry is modified to run the DLL component at each Windows start. Below are example registry modifications made by the installation of the trojan:

In subkey: HKLM\System\CurrentControlSet\Control\SecurityProviders
Sets value: "SecurityProviders"
With data: "<other file names>, <trojan proxy DLL file name>"   

For example:

 

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Time"
With data: "rundll32.exe <trojan proxy DLL file name>, Entrypoint"

The dropped proxy is injected into one of the following processes before performing its payload:

  • Task Manager (taskmgr.exe)
  • Windows Explorer (explorer.exe)
Payload

Intercepts communication with web-based email services
The trojan and is used by the attacker to intercept communications with the following websites which offer web-based email:

  • hotmail.com
  • gmail.com
  • yahoo.com

Analysis by Daniel Radu


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

 

Prevention


Alert level: Severe
First detected by definition: 1.119.55.0
Latest detected by definition: 1.177.270.0 and higher
First detected on: Jan 18, 2012
This entry was first published on: Jan 18, 2012
This entry was updated on: Mar 02, 2012

This threat is also detected as:
  • Win32/TrojanProxy.Holes.AA (ESET)
  • Mal/Bredo-RH (Sophos)