Win32/Theola [Threat Name] go to Threat
Win32/Theola.J [Threat Variant Name]
Category | trojan |
Size | 53248 B |
Aliases | Trojan.PWS.Sinowal.NCX (BitDefender) |
PWS:Win32/Sinowal.gen!Y (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan does not create any copies of itself.
The trojan is usually a part of other malware.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
- "TSEnabled" = 1
- "fDenyTSConnections" = 0
- "fSingleSessionPerUser" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
- "fEnableWinStation" = 1
- "ColorDepth" = 4
- "MaxInstanceCount" = 10
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core]
- "EnableConcurrentSessions" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
- "limitblankpassworduse" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "AllowMultipleTSSessions" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
- "3389:TCP" = "3389:TCP:*:Enabled:Remote Desktop"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
- "3389:TCP" = "3389:TCP:*:Enabled:Remote Desktop"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
- "MaxDisconnectionTime" = 21600000
- "MaxIdleTime" = 21600000
- "fResetBroken" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
The trojan may create the following folders:
- %appdata%\Mozilla\Firefox\Profiles\my
Other information
The trojan serves as a backdoor. It can be controlled remotely. The RDP protocol is used.
The trojan enables following services:
- TermService
- FastUserSwitchingCompatibility
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- svchost.exe
- winlogon.exe
The trojan hooks the following Windows APIs:
- DisplayExitWindowsWarnings (user32.dll)
- SHRestricted (shell32.dll)
- LsaLogonUser (secur32.dll)