McAfee > Theat Center > Virus Detail Page

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information –

• MD5 - 18b1e3177f6f3e78d522b6fd3b489f30
• SHA1- 044fa819002e77818a8e5a86ed95af0f308fedb8

Aliases –

• F-Secure - Trojan:W32/Hiloti.AP
• Kaspersky - Trojan-Downloader.Win32.Mufanom.aafz
• Microsoft - Trojan:Win32/Hiloti.gen!D
• SymantecTrojan.Zefarch!gen

Characteristics

"Hiloti.gen.g" is a generic detection for a Trojan and this dll is a dropped content of source file. The Trojan monitors the affected user’s browsing activities and it may connect to remote sites and downloads malicious files.

It injects into the following two windows processes and performs malicious activity.

• explorer.exe
• iexplore.exe

The trojan monitors URLs browsed by the user and sends related information to a remote host.
The trojan may look for the following strings, if it found it redirects to the remote sites.

• .yahoo
• .aclk
• .msn
• .live
• .yahoo
• .google
• mywebsearch
• search.aol

Upon execution, the Trojan drops the following files

• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome.manifest
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\install.rdf
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome\content\_cfg.js
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome\content\overlay.xul  [Detected as JS/Redirector.ab]

The Trojan adds the following registry entry in which it stores configuration information

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir

The following  registry values have been added

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  Lyevacuqepi = "rundll32.exe "[Path Of  DLL]\iyebuteb.dll",Startup"

• [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}:]
   =  "%AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir\]
  Jlituzupij = ":IEXPLORE.EXE:0:123Mi4567t8"
  Eyaqaqojunehohi =
  Pvunecolayiza =

The following folders have been added

• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome\content

[Note : %AppData% - C:\Documents and Settings\[UserName]\Application Data]

Symptoms

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section..

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information –

• MD5 - 18b1e3177f6f3e78d522b6fd3b489f30
• SHA1- 044fa819002e77818a8e5a86ed95af0f308fedb8

Aliases –

• F-Secure - Trojan:W32/Hiloti.AP
• Kaspersky - Trojan-Downloader.Win32.Mufanom.aafz
• Microsoft - Trojan:Win32/Hiloti.gen!D
• SymantecTrojan.Zefarch!gen

Characteristics

Characteristics -

"Hiloti.gen.g" is a generic detection for a Trojan and this dll is a dropped content of source file. The Trojan monitors the affected user’s browsing activities and it may connect to remote sites and downloads malicious files.

It injects into the following two windows processes and performs malicious activity.

• explorer.exe
• iexplore.exe

The trojan monitors URLs browsed by the user and sends related information to a remote host.
The trojan may look for the following strings, if it found it redirects to the remote sites.

• .yahoo
• .aclk
• .msn
• .live
• .yahoo
• .google
• mywebsearch
• search.aol

Upon execution, the Trojan drops the following files

• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome.manifest
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\install.rdf
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome\content\_cfg.js
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome\content\overlay.xul  [Detected as JS/Redirector.ab]

The Trojan adds the following registry entry in which it stores configuration information

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir

The following  registry values have been added

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  Lyevacuqepi = "rundll32.exe "[Path Of  DLL]\iyebuteb.dll",Startup"

• [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}:]
   =  "%AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hnuruyaxubexuyir\]
  Jlituzupij = ":IEXPLORE.EXE:0:123Mi4567t8"
  Eyaqaqojunehohi =
  Pvunecolayiza =

The following folders have been added

• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome
• %AppData%\{04A9E038-E3A1-4BF0-B7F8-8EC2F1D92643}\chrome\content

[Note : %AppData% - C:\Documents and Settings\[UserName]\Application Data]

Symptoms

Symptoms -

The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section..

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A