Win32/TrojanProxy.Hioles [Threat Name] go to Threat

Win32/TrojanProxy.Hioles.AA [Threat Variant Name]

Category trojan
Size 32256 B
Aliases Trojan.Win32.Yakes.ouv (Kaspersky)
  Trojan:Win32/Hioles.C (Microsoft)
  TR/Proxy.Hioles.B.1 (Avira)
Short description

The trojan serves as a proxy server. The file is run-time compressed using UPX .

Installation

The trojan may create the following files:

  • %system%\­%variable%.dll (13824 B, Win32/TrojanProxy.Hioles.AB)
  • %commonappdata%\­%variable%.dll (13824 B, Win32/TrojanProxy.Hioles.AB)

A string with variable content is used instead of %variable% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SecurityProviders]
    • "SecurityProviders" = "%originaldata%, %droppedfilename%.dll"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Time" = "rundll32.exe "%droppedfilepath%",EntryPoint"

This causes the trojan to be executed on every system start.


The trojan quits immediately if it is run within a debugger.


The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe
Other information

The trojan serves as a proxy server.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The TCP, HTTP protocol is used.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • yahoo.com:25
  • hotmail.com:25
  • gmail.com:25

The trojan may create the following files:

  • %temp%\­%variable%.dat (2048 B)

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.