Win32/Theola [Threat Name] go to Threat

Win32/Theola.J [Threat Variant Name]

Category	trojan
Size	53248 B
Aliases	Trojan.PWS.Sinowal.NCX (BitDefender)
	PWS:Win32/Sinowal.gen!Y (Microsoft)

The trojan serves as a backdoor. It can be controlled remotely.

The trojan does not create any copies of itself.

The trojan is usually a part of other malware.

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
- "TSEnabled" = 1
- "fDenyTSConnections" = 0
- "fSingleSessionPerUser" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
- "fEnableWinStation" = 1
- "ColorDepth" = 4
- "MaxInstanceCount" = 10
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core]
- "EnableConcurrentSessions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
- "limitblankpassworduse" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "AllowMultipleTSSessions" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
- "3389:TCP" = "3389:TCP:*:Enabled:Remote Desktop"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
- "3389:TCP" = "3389:TCP:*:Enabled:Remote Desktop"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
- "MaxDisconnectionTime" = 21600000
- "MaxIdleTime" = 21600000
- "fResetBroken" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

The trojan may create the following folders:

The trojan serves as a backdoor. It can be controlled remotely. The RDP protocol is used.

The trojan enables following services:

The trojan creates and runs a new thread with its own program code within the following processes:

The trojan hooks the following Windows APIs: