1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Trojan-Downloader:W32/Hiloti

Trojan-Downloader:W32/Hiloti

Name : Trojan-Downloader:W32/Hiloti
Detection Names : Gen:variant.hiloti.1
Trojan-Downloader.Win32.Mufanom
Aliases : Trojan:Win32/Hiloti.gen!D (Microsoft)
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Additional Details

Trojan-Downloader:W32/Hiloti identifies a family of programs that download and execute malicious files onto the affected system.

Variants in this family may also be identified as variants in the Trojan-Downloader:W32/Mufanom family.

The details below are for a representative variant in the Hiloti family.


Execution

The variant drops a file at %windir% as:

  •  [random filename].dll

And loads it using rundll32.exe.
     
The malware then downloads a file from: 

  •  [removed].edvehal.com/GET /get2.php?

And saves it to the following location: %windir%\[random filename].dll

The malware then performs DNS Query using the infected system's information, for example:

  •  0000407015.742c6d13.01.[hash].n.empty.772.empty.5_1._t_i.ffffffff.explorer_exe.154.rc2.[removed]uploading.com

Registry Changes

During execution, the malware creates a registry key to create a launchpoint:
  •  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        [random value] = rundll32.exe "C:\WINDOWS\[random filename].dll",Startup

  Then it creates random registry keys:

  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
           [random value] = 154
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
           [random value] = ""
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[random filename]
           [random value] = ""

It also creates 8-character mutexes with random name, such as 4fef8c25, 1dfefa41, and ef485b09.