Win32/Theola [Threat Name] go to Threat

Win32/Theola.F [Threat Variant Name]

Category trojan
Size 230127 B
Detection created Jan 30, 2013
Signature database version 7950
Aliases Backdoor.Win32.Sinowal.shv (Kaspersky)
  PWS:Win32/Sinowal.gen!Y (Microsoft)
Short description

Win32/Theola.F is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The trojan is usually a part of other malware. The trojan is a malicious Google Chrome extension/plugin.

Installation

The trojan creates the following files:

  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­%variable%\­1.0_0\­background.html (88 B)
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­%variable%\­1.0_0\­content.js (9085 B)
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­%variable%\­1.0_0\­manifest.json (758 B)
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Extensions\­%variable%\­1.0_0\­plugin.dll (573440 B)

A string with variable content is used instead of %variable% .

Information stealing

Win32/Theola.F is a trojan that steals sensitive information.


The trojan collects information used to access certain sites.


The following information is collected:

  • URLs visited
  • HTML forms content
  • cookies

The following programs are affected:

  • Google Chrome

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


It can execute the following operations:

  • monitor network traffic
  • modify network traffic
  • block access to specific websites
  • capture screenshots
  • capture video of user's desktop
  • show/hide application windows
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.