Win32/Theola [Threat Name] go to Threat

Win32/Theola.I [Threat Variant Name]

Category trojan
Size 123904 B
Detection created Mar 14, 2013
Detection database version 8118
Aliases TR/Spy.Gen (Avira)
  Win32:Theola-A (Avast)
Short description

Win32/Theola.I is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Short description

The trojan is usually a part of other malware.


The trojan does not create any copies of itself.


The trojan hooks the following Windows APIs:

  • BCryptHashData (bcrypt.dll)
  • closesocket (ws2_32.dll)
  • CoGetClassObject (ole32.dll)
  • CryptHashData (advapi32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetReadFile (wininet.dll)
  • PR_Close (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)
Information stealing

Win32/Theola.I is a trojan that steals passwords and other sensitive information.


The following information is collected:

  • computer name
  • operating system version
  • user name
  • network adapter information
  • login passwords for certain applications/services
  • login user names for certain applications/services
  • information about the operating system and system settings
  • computer IP address
  • CPU information
  • volume serial number
  • list of running processes
  • cookies
  • list of disk devices and their type
  • e-mail addresses
  • type of Internet connection
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys
  • POP3 account information
  • the IP address of the router in the local network
  • hardware information
  • Registry entries
  • list of computer users
  • URLs visited
  • RAS accounts
  • file system type
  • network parameters

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The trojan generates various URL addresses. The HTTP protocol is used.

Other information

The trojan connects to the following servers to obtain the current date and time:

  • google.com

It can execute the following operations:

  • monitor network traffic
  • modify network traffic
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.