Follow:

 

Trojan:Win32/Hiloti.gen!A


Trojan:Win32/Hiloti.gen!A is a generic detection for a family of trojans that may download potentially malicious files from a remote server and report system information back to the server. This trojan has been observed in the wild being dropped by Win32/FakePowav.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Hiloti.gen!A is a generic detection for a family of trojans that may download potentially malicious files from a remote server and report system information back to the server. This trojan has been observed in the wild being dropped by Win32/FakePowav.
Installation
Upon execution, Win32/Hiloti.gen!A copies itself in the Windows folder as a DLL file with a random name, for example:
%windir%\wrifocemuvap.dll
 
It then modifies the system registry so that its copy runs every time Windows starts:
 
Adds value: "<random string>"
With data: "rundll32.exe %windir%\<malware file name>,e"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
For example:
Adds value: "Pwulinubesida"
With data: "rundll32.exe %Windir%\Plakafaripecil.dll,e"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
It also creates the following registry modification as part of its malicious routine:
 
Adds value: "<entry ID>"
With data: "<number>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\<string>
 
where <entry ID> and <string> are random strings generated by this trojan based on information from the local machine.
 
For example:
 
Adds value: "Sheqid"
With data: "54"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Phuxobab
 
It creates a mutex to ensure that only one copy of itself is running at startup. The mutex name varies, for example:
  • 6d5ac198
  • 71981d42
Payload
Connects to a Remote Server
Win32/Hiloti.gen!A may connect to the following server, possibly to download files or to report system information:
  • zfsearch.com
  • liftupgate.com
 
The downloaded files may be detected as other malware.
 
Analysis by Patrik Vicol

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.49.0.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 02, 2008
This entry was first published on: Mar 05, 2009
This entry was updated on: Nov 25, 2010

This threat is also detected as:
  • Troj/Virtum-Gen (Sophos)
  • Win32/Vundo.CGP (CA)
  • Vundo (McAfee)
  • :Trj/Downloader.MDW (Panda)
  • Trojan.Vundo (Symantec)