Trojan-Downloader:W32/Hiloti

Classification

Malware

Trojan-Downloader

W32

Trojan-Downloader:W32/Hiloti, Gen:variant.hiloti.1, Trojan-Downloader.Win32.Mufanom, Trojan:Win32/Hiloti.gen!D (Microsoft)

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note: You need administrative rights to change the settings.

Technical Details

Trojan-Downloader:W32/Hiloti identifies a family of programs that download and execute malicious files onto the affected system.Variants in this family may also be identified as variants in the Trojan-Downloader:W32/Mufanom family.The details below are for a representative variant in the Hiloti family.

Execution

The variant drops a file at %windir% as:

[random filename][random filename].dll

[random filename]

And loads it using rundll32.exe.The malware then downloads a file[random filename2] from:

[random filename][random filename2][removed].edvehal.com/GET /get2.php?

And saves it to the following location:

%windir%\[random filename].dll

[random filename][random filename2]

The malware then performs DNS Query using the infected system's information, for example:

[random filename][random filename2]0000407015.742c6d13.01.[hash].n.empty.772.empty.5_1._t_i.ffffffff.explorer_exe.154.rc2.[removed]uploading.com

[random filename][random filename2]

Registry Changes

During execution, the malware creates a registry key to create a launchpoint:

[random filename][random filename2]HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [random value] = rundll32.exe "C:\WINDOWS\[random filename][random filename].dll",Startup

[random filename][random filename2][random filename]

Then it creates random registry keys:

[random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
[random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename][random filename][random filename2][random filename] [random value][random filename][random filename2][random filename] = 154
[random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename][random filename][random filename2][random filename] [random value][random filename][random filename2][random filename] = ""
[random filename][random filename2][random filename]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename][random filename][random filename2][random filename] [random value][random filename][random filename2][random filename] = ""

It also creates 8-character mutexes with random name, such as 4fef8c25, 1dfefa41, and ef485b09.