Win32/Theola [Threat Name] go to Threat

Win32/Theola.J [Threat Variant Name]

Category trojan
Size 53248 B
Detection created Mar 19, 2013
Detection database version 8134
Aliases Trojan.PWS.Sinowal.NCX (BitDefender)
  PWS:Win32/Sinowal.gen!Y (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "TSEnabled" = 1
    • "fDenyTSConnections" = 0
    • "fSingleSessionPerUser" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­WinStations\­RDP-Tcp]
    • "fEnableWinStation" = 1
    • "ColorDepth" = 4
    • "MaxInstanceCount" = 10
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­Licensing Core]
    • "EnableConcurrentSessions" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Lsa]
    • "limitblankpassworduse" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AllowMultipleTSSessions" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­GloballyOpenPorts\­List]
    • "3389:TCP" = "3389:TCP:*:Enabled:Remote Desktop"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­DomainProfile\­GloballyOpenPorts\­List]
    • "3389:TCP" = "3389:TCP:*:Enabled:Remote Desktop"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­Terminal Services]
    • "MaxDisconnectionTime" = 21600000
    • "MaxIdleTime" = 21600000
    • "fResetBroken" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]

The trojan may create the following folders:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­my
Other information

The trojan serves as a backdoor. It can be controlled remotely. The RDP protocol is used.


The trojan enables following services:

  • TermService
  • FastUserSwitchingCompatibility

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe
  • winlogon.exe

The trojan hooks the following Windows APIs:

  • DisplayExitWindowsWarnings (user32.dll)
  • SHRestricted (shell32.dll)
  • LsaLogonUser (secur32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.