Trojan.Heloag Downloader Analysis

Trojan.Heloag is a Trojan horse designed to manage the installation of other malware on the infected PC. This malcode gives complete control to the attacker and enables them to install arbitrary malcode on the PC. This one appeared in our zoo recently and after reading in an AV writeup about a possible DDoS capability within it, we investigated. Upon detailed inspection, this bot does not appear to have any DDoS capabilities built into it, it appears to only manage downloads on the infected PC.

Many of the samples analyzed were downloaded from or The malware may download additional files from those domains. We do not know how big this botnet is, but we do see a handful of users in the wild.

Once launched, the malware will install itself in the WINDOWS directory. Names we have observed include:

  • C:WINDOWScsrse.exe
  • C:WINDOWSThunderUpdate.exe
  • C:WINDOWSconme.exe

The malware then installs a registry key to ensure that it starts when the user logs on:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon = [filename]

Where [filename] refers to the installed filename from above.

It then makes a connection to the C&C server for the botnet, often on TCP port 8090, to register itself and await commands. Traffic is usually preceded by a single byte to indicate the message purpose:

  • 01 – initial hello
  • 02 – keep alive, idle message
  • 03 – download the named file
  • 04 – connect to other peers
  • 05 – send hostname to server
  • 06 – clear
  • 07 – close connection

An initial “HELLO” would therefore look like this:


where HOSTNAME is the Windows name of the computer. We often see a bot connect and get download commands for new EXEs to load onto the PC.

Trojan.Heloag infected hosts often download other malcode over HTTP from a central server, and can also connect to other bots over TCP, often using ports 7000-7010. It’s unclear what the purpose of this is, but it appears to be some form of peer-to-peer

Antivirus uses a handful of aliases for these samples. They aren’t consistent, which isn’t surprising, and the data on this downloader is very thin, as well. AV names we’ve seen include:

  • Microsoft – Backdoor:Win32/Heloag.A
  • Symantec – Suspicious.Insight
  • F-Secure – Suspicious:W32/Malware!Gemini
  • McAfee – Trojan.Crypt.XPACK.Gen
  • Trend Mircro – PAK_Generic.001

We are tracking a handful of these controllers around the Internet, around a few dozen or so.

6 Responses to “Trojan.Heloag Downloader Analysis”

April 13, 2010 at 2:59 pm, Botnet P2P: Trojan Heloag | Alexos Core Labs said:

[…] a Arbor Networks, o trojan Heloag instala-se automaticamente depois de ser baixado através dos dominios ou Ele se […]

April 13, 2010 at 5:41 pm, A new Botnet and the Trojan.Heloag « Malware Survival said:

[…] Arbor Networks […]

April 15, 2010 at 11:04 am, New P2P Trojan Discovered said:

[…] researchers at Arbor Networks researchers have discovered a new botnet that compromises machines infected with the Heloag Trojan that is […]

June 11, 2010 at 4:22 am, Heloag has rather no friends, just a master | TechFr3qNews=- said:

[…] Nazario of Arbor Networks recently posted an analysis of Trojan.Heloag on their blog, mentioning that some observed behaviour might be related to Peer-to-Peer C&C […]

January 07, 2011 at 8:52 am, dave said:

Can you let me know to which web server’s does this Trojan communicate to aggrevate itself?

January 19, 2011 at 1:13 am, A new Botnet and the Trojan.Heloag | MalwareSurvival said:

[…] Arbor Networks Posted in Backdoors, Trojan, Web Threats | Tags: Trojan Heloag […]

Comments are closed.