Home / malware

PDF

Trojan.Dropper.Oficla.P

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Dropper.Oficla.P is also known as TrojanDropper:Win32/Oficla.G, Trojan.Oficla.45, Trojan.Sasfis.

Explanation :

Usually it comes as an e-mail attachment having a PDF document icon or Microsoft Office Word document icon.

When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2 or Trojan.Oficla.T. To ensure that the dropped dll will be active at each system startup it will modify in the HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon registry key the following value as:
Shell = Explorer.exe rundll32.exe pgsb.lto csxyfxr

pgsb.lto csxyfxr parameters for rundll32.exe may change with newer versions.

The DLL will be injected in a newly created svchost.exe process, after which the trojan will delete itself.

Depending on installed version the dll component will access different sites, usually form Rusia (davidopolko.ru, postfolkovs.ru) from which will retrieve a link to another executable (Trojan.Downloader.ABBL). Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD.

In case of a succesfull download and installation additional modifications are made in the system:

[HKCUSoftwareMicrosoftInternet ExplorerPhishingFilter]

Enabled = 0

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]

DisableTaskMgr = 1

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]

smss32.exe = %system%smss32.exe

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]

Security essentials 2010 = %program_files%Securityessentials2010SE2010.exe

Last update 21 November 2011

 

TOP