You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Hiloti

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Hiloti carries out the following actions:

  • It connects to certain IP addresses to download the adware detected as Lop to the affected computer.
  • It monitors the browsing of the users and is activated when they access websites that contain any of the following text strings:

    /
    /search, /web?.

    ?
    ?aclk.

    0123456789
    250000.co.uk, 7search..

    A
    about., ads.ask.com, alexa., alltheweb.com, allyoursearch., altavista., altavista.com, aol, aol., aol.com, asiaco., ask., askredir.com.

    B
    bbc..

    C
    clearsearch., comcast., coolwebsearch., crawlbar..

    D
    daum.net, destinationadult., ditto.com, dmoz., dogpile..

    E
    earthlink., emetasearch., epilot.com, exactsearch., excite..

    F
    find=, findsearch., findwhat..

    G
    galaxysearch., gateway.com, genieknows., gigablast.com, goclick., goguides., gohip., google, google., grip.com.

    H
    hotbot.com.

    I
    infoseek., inquire., instafinder..

    J
    jayde..

    K
    kanoodle., keywords=, kw=.

    L
    live., london-pages.co.uk, looksmart., lycos..

    M
    mamma., mirago., msn., mt=, mygeek., myway., mywebsearch..

    N
    navisearch., neon.org, netscape., netster., netzero., nytimes..

    O
    oingo., overture..

    P
    find=, findsearch., findwhat..

    Q
    qkw=, qq=, qry=, qt=, qu=, query=.

    R
    r.looksmart.com, reference., revquest..

    S
    satitle=, sc=, scoutcrawl., search, search.aol, search.lycos, search.yahoo., search_str=, search=, search123., searchengine., searchfeed., searchfor=, searchmiracle., searchscout., searchstri=, searchterm=, searchtext=, seeq., sensis.com, sex.com, shoprogers., sirsearch., slirsredirect, slotch., sqwire., ss=, string=.

    T
    teoma., term=, terms=, thefreedictionary..

    U
    ukindex.co.uk, url.searchuk.com, usseek..

    V
    vachercher.lycos.fr, vivisimo..

    W
    wanadoo., web.ask.co.uk, webmail.aol.com, websearch., wesearchall., what2find., wikipedia., wisenut., word=.
    These text strings mostly belong to search engines.
  • When users access any of these websites using the Firefox browser, the Trojan injects into them code programmed in javascript in order to redirect them to malicious websites from which more malware will be downloaded.
  • Additionally, on Windows Server 2008/Vista computers, it modifies the level of the Mandatory Integrity Control (MIC), leaving it in a low level. It is an additional security layer which allows to restrict the access permissions of applications that are being run.

Infection strategy 

Hiloti creates the file %random characters%.DLL in the Windows directory. It i s a copy of the Trojan.

Additionally, it creates the following files:

  • CHROME.MANIFEST and INSTALL.RDF, in the folder Application Data\Mozilla\Firefox\Extensions of the Documents and Settings directory of the user that has logged in.
  • _CFG.JSC.JS and OVERLAY.XU, in the folder Application Data\Mozilla\Firefox\Extensions\chrome\content of the Documents and Settings directory of the user that has logged in.

 

Hiloti creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    rundll32.exe = %windir%\    %random characters%.dll, e
    where %windir% is the Windows directory.
    By creating this entry, Hiloti ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%random CLSID%
    Default = %windir%\%random characters%.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%random CLSID%
    Default = %windir%\%random characters%.dll
    By creating these entries, Hiloti registers itself as a BHO (Browser Helper Object).
  • HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\sample@example.net
    It is registered as a Mozilla Firefox extension in order to monitor the browsing of the user.

Means of transmission 

Hiloti does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTPIRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Hiloti is 158,208 bytesin size.