Win32/Theola [Threat Name] go to Threat

Win32/Theola.A [Threat Variant Name]

Category trojan
Size 700416 B
Detection created May 25, 2011
Detection database version 10297
Aliases Trojan.DownLoader2.59498 (Dr.Web)
  Win32:Alureon-ABY (Avast)
Short description

Win32/Theola.A is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%variable%.tmp
  • %systemroot%\­system32\­adload04.dll
  • %userprofile%\­adload0.dll
  • %userprofile%\­init.tmp
  • %startup%\­scankdiskto86.dll
  • %startup%\­scandisk.lnk

The %variable% represents a random number.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "NvCplDaemonTool" = "rundll32.exe %userprofile%\­adload04.dll,_IWMPEvents"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "NvCplDaemonTool" = "rundll32.exe %systemroot%\­system32\­adload04.dll,_IWMPEvents"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "PrivacyAdvanced" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "{A8A88C49-5EB2-4990-A1A2-0876022C854F}" = 1a 37 61 59 23 52 35 0c 7a 5f 20 17 2f 1e 1a 19 0e 2b 01 73 13 37 13 12 14 1a 15 2a
    • "{AEBA21FA-782A-4A90-978D-B72164C80120}" = 1a 37 61 59 23 52 35 0c 7a 5f 20 17 2f 1e 1a 19 0e 2b 01 73 13 37 13 12 14 1a 15 2a
    • "1400" = 0
    • "2103" = 0

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Safeboot]
  • [HKEY_LOCAL_MACHINE\­System\­ControlSet001\­Control\­Safeboot]
  • [HKEY_LOCAL_MACHINE\­System\­ControlSet002\­Control\­Safeboot]

The trojan creates and runs a new thread with its own program code in all running processes.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information used to access certain sites.


The following information is collected:

  • URLs visited
  • HTML forms content
  • digital certificates

The programs affected include the following:

  • Mozilla Firefox
  • Internet Explorer

The collected information is stored in the following folder:

  • %temp%

The file name is randomly generated.

Other information

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam
  • set up a proxy server
  • update itself to a newer version

The trojan hooks the following Windows APIs:

  • TerminateProcess (kernel32.dll)
  • ExitProcess (kernel32.dll)
  • FindNextFileA (kernel32.dll)
  • FindNextFileW (kernel32.dll)
  • RegDeleteValueA (advapi32.dll)
  • RegDeleteValueW (advapi32.dll)
  • CryptHashData (advapi32.dll)
  • InternetConnectA (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • closesocket (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • WSARecv (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.