If launched, the trojan installs the copy of itself in the WINDOWS directory together with a registry key enabling it to load on startup.

trojan-horse.jpg

Arbor Networks Security researchers have found an unknown botnet activated by Heloag Trojan, jeopardizing computers infected with it. Its purpose is to facilitate downloading and installation of numerous additional malicious applications.

The researches discovered after the detailed inspection that trojan does not have DDoS capabilities built-in, but only work upon managing downloads on the exposed machine.

How does it work?

Trojan can be downloaded from elwm.net or 7zsm.com. After getting stored on the exposed computer, it installs the copy of itself in the WINDOWS directory under the following names:

C:\WINDOWS\conme.exe
C:\WINDOWS\ThunderUpdate.exe
C:\WINDOWS\csrse.exe

After that malware mounts the above registry key enabling it to load on startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon = [one of the filenames above]

What it’s doing next is establishing a connection to the server C&C to provide the access for the botnet, usually on 8090 TCP port, in order to get registered and wait for further commands. Traffic is often preceded by a single byte indicating the aim of a message:

1 – hello
2 – staying alive
3 – downloading the above mentioned file
4 – connecting to other peers
5 – sending the host name to the server
6 – clearing
7 – shutting down the connection

Those hosts which are infected with Trojan.Heloag usually download some different malcode via HTTP from the central server, after which they are able to get connected to other bots via TCP ports 7000-7010 and therefore to other infected PCs. The researchers are not sure about the purpose of this yet, but it’s definitely some form of P2P. Be careful.