Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/OleLoa.gen

This Trojan hooks the function " HttpSendRequestA" in the WININET.DLL by patching the dynamic link library file. The purpose of patching WININET.DLL is to allow the Trojan to redirect the entry point into the file header where it contains a code-combination of "dec/inc/pop/push" to install the hook which results in the string "OLE" for the first 3 bytes of the file, and depending on the Trojan Variant the next 3 bytes might be displayed as "ADM", for example. This is why the Trojan's name starts with "Ole".

If the hooked HttpSendRequestA function is accessed, the Trojan loads and maps its spoofing backdoor component (oleadm.dll) and passes the control to its own functionality in order to spy on outgoing http internet traffic. The spying component logs all accessed websites and sends the data to remote web servers.

Most of the OleLoa Droppers install a desktop wallpaper or an HTML file as an active desktop background, which may look like this:

The downloader component might try to download and install a system tray application which pops up warning balloons warning that the computer is infected with spyware. During this time the downloader might also install "P.S. Guard Spyware Scanner" (See screenshot) which detects its own Trojan file and requires a purchase of the software to clean the infection.

Note: Depending on the Trojan variant it might also create several registry keys.