Win32/Theola [Threat Name] go to Threat
Win32/Theola.F [Threat Variant Name]
| Category | trojan |
| Size | 230127 B |
| Aliases | Backdoor.Win32.Sinowal.shv (Kaspersky) |
| PWS:Win32/Sinowal.gen!Y (Microsoft) |
Short description
Win32/Theola.F is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The trojan is usually a part of other malware. The trojan is a malicious Google Chrome extension/plugin.
Installation
The trojan creates the following files:
- %localappdata%\Google\Chrome\User Data\Default\Extensions\%variable%\1.0_0\background.html (88 B)
- %localappdata%\Google\Chrome\User Data\Default\Extensions\%variable%\1.0_0\content.js (9085 B)
- %localappdata%\Google\Chrome\User Data\Default\Extensions\%variable%\1.0_0\manifest.json (758 B)
- %localappdata%\Google\Chrome\User Data\Default\Extensions\%variable%\1.0_0\plugin.dll (573440 B)
A string with variable content is used instead of %variable% .
Information stealing
Win32/Theola.F is a trojan that steals sensitive information.
The trojan collects information used to access certain sites.
The following information is collected:
- URLs visited
- HTML forms content
- cookies
The following programs are affected:
- Google Chrome
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).
It can execute the following operations:
- monitor network traffic
- modify network traffic
- block access to specific websites
- capture screenshots
- capture video of user's desktop
- show/hide application windows
- send gathered information