Threat behavior
Trojan:Win32/Hiloti.gen!D is a generic detection for a trojan that interferes with an affected user's browsing habits and downloads and executes arbitrary files.
Installation
When executed the malware copies itself to the Windows directory with a randomly generated file name (for example %windir%\svdetrxt.dll). It modifies this file so that it is treated as a DLL.
The trojan creates a randomly named registry entry in which it stores configuration information, for example
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Qwevonibumer
The trojan uses windows hooks to load itself into running processes. In particular, it targets the following two processes in this manner:
-
explorer.exe
-
iexplore.exe
Payload
Allows backdoor access and control
When executed the malware connects to a remote host to download configuration data, which may contain instructions to perform any of the following actions:
-
Download and execute arbitrary files
-
Display popups
-
Modify the content of HTML pages viewed by the user
-
Insert scripts in to HTML pages viewed by the user
Monitors affected user's browsing habits
The trojan monitors URLs browsed by the user and sends related information to a remote host. Captured data includes, but is not limited to, search-related information. It does this by searching for substrings in the URL, for example, it may look for the following strings:
.bing.com
.live.
.msn.
.google.
.search123.
.teoma.
.wanadoo.
250000.co.uk
alexa.
alltheweb.com
altavista.
aol.
asiaco.
bbc.
Terminates processes
The trojan checks if it is loaded in the following process, and if it is not, terminates the process:
MRT.exe
This process may belong to the Microsoft Malicious Software Removal Tool (MSRT).
Analysis by Ray Roberts
Prevention