Home / malwarePDF  

Win32/Oficla


First posted on 17 May 2010.
Source: SecurityHome

Aliases :

There are no other names known for Win32/Oficla.

Explanation :

Win32/Oficla is a familiy of trojans that attempts to inject code into running processes in order to download and execute arbitrary files. In the wild, we have observed variants of this family downloading and installing several different malware families, including Win32/FakeScanti and Win32/Cutwail.
Top

Win32/Oficla is a familiy of trojans that attempts to inject code into running processes in order to download and execute arbitrary files. In the wild, we have observed variants of this family downloading and installing several different malware families, including Win32/FakeScanti and Win32/Cutwail. Win32/Oficla consists of several components, including an executable trojan dropper component that installs a DLL trojan component that then performs the downloading payload.

Installation
Win32/Oficla is often distributed attached to spammed e-mail messages. For example, we have observed several variants being spammed in attachments that use one of the following file names:

  • UPS_document_Nr28451.zip
  • DHL_document_Nr39153.zip
  • Western_Union_documento_Nr7821.zip
  • The archive (zip) file contains an executable with the same name but with an ".EXE" file extension (e.g. UPS_document_Nr28457.zip would contain UPS_document_Nr28457.exe). The file may use the Microsoft Word document icon. When run, the trojan drops a DLL file with a randomly generated file name and a ".TMP" file extension into the Windows temporary files folder (for example "%TEMP%\e.tmp"). This file may be detected as Trojan:Win32/Oficla. It is then copied using a variable file name into the Windows system folder (for example <system folder>\tapi.nfo). We have observed the following file names being used by the Win32/Oficla family in this manner: abcd.efo abcd.mjo abfw.xgo adcc.puo afhj.hko ahwa.ulo ajhg.kqo ajoa.nwo ajoj.pso akhr.vfo amau.mso amht.xfo amuw.bho aqlb.hjo asqd.qxo avuw.xbo awxm.vho bfro.fto bfwc.bwo bfwl.pgo bgwj.sdo bjoj.pko bjor.lio bnis.mxo bnjp.uco brjw.gvo bvsn.dyo bwsb.gio byly.jgo byri.leo cagj.mmo calc.ifo cbhr.uco cdav.ixo ckrt.dho codf.ouo cpcp.cpo cvqh.hro cwjv.wmo dayu.oro dcbs.hxo dccd.mro dccl.qlo dchn.sco dcis.ewo dckp.kio dckp.smo dckp.suo dfcj.yqo dguu.mdo dmnv.pro dqgd.gso dvas.tqo dwak.nwo dwtt.mro eadp.qko ecrm.goo edlp.suo edrm.yho efyp.ogo ehrm.gno eqja.foo eqqo.yso etat.afo evuq.kjo eywr.sxo fcis.yho fdmw.pvo fdty.sio ffnh.dbo ffxl.hmo fgjk.hwo fimp.elo flhn.jpo foso.lvo fsxa.vno ftoe.rho fvhg.rmo fxer.slo gafj.lmo gcyc.luo gelp.kio geuk.mno gjpm.hro glrl.rvo gpsq.ajo gsvj.ulo gvpq.nlo hdpy.eio hdqw.pko hedl.qlo hedl.qto hefs.nto helh.oso hjao.sco hlhl.bfo hlku.lro hnbc.dro hpiq.gio hpyu.mso hspe.uvo hurn.fro hwks.oyo hypc.xyo ifmq.kqo ihbo.kjo ihrv.kko ijao.wto inqk.hgo ipqd.cto ipyt.vao iqum.tco isdt.hwo italc.ifo iywn.sjo jfmi.goo jgan.plo jmnj.vvo jnio.jho jriw.eao jrxm.aeo jxca.hto jyku.fjo kemk.tuo kfla.ako kgmq.kio kgtu.opo khqq.qyo kjgk.sko kjvd.kxo kntv.emo knvh.nio kqvu.hvo lfrt.njo lgou.rlo lhek.ydo lkdk.bho lkmj.bdo lksd.gxo llls.euo lmep.bqo lnud.yjo loio.jho loio.rto loqk.pso lwbe.cxo lydt.rro miin.kso mjbf.xlo mkrk.ooo mldq.ovo mouj.yjo mpcj.olo mphn.vmo mpjo.jpo mpor.yuo mrge.ilo mrsf.fbo msol.voo mtct.kio mwyb.wdo nbqu.ido ngrv.eqo ngts.vao nhfm.qto nhni.goo njpb.ojo nkbu.vao nldk.yxo nlou.cco nmko.mso nnfj.tqo nnrs.gqo nqyj.rco nsuq.rdo ntxr.bfo nxxd.pio nynw.wmo oaaq.kfo oanb.fxo oapu.ygo obij.vco ocka.umo ocnx.gco ocqu.wro oegq.loo ohov.fxo oife.mro ojgo.pxo ommo.pyo onyc.ffo oqmt.heo oqrk.pso ornw.oro oubw.hvo ovjp.fbo oxje.kso pdjg.kjo peck.dho pfpp.dao pful.tko pgsb.lto pgul.cqo plbt.nbo pnko.jso ppto.koo pqjg.fno pqrk.hgo pqrs.tmo prqy.fko pufr.kho pumb.jho qegy.gvo qgjo.ijo qiai.jfo qimu.ano qiok.xwo qtjr.pno qtru.lfo qvbw.iio rbxw.vao rcvd.fwo rihd.pno rjuq.mpo rkhq.svo rkie.mpo rkso.iso rlge.boo rqfp.kmo rsma.tdo rvbw.nxo rwkv.buo rxms.pio rxup.rko sfsp.cfo siek.guo sijw.fko sipo.bpo siqf.cso siut.ayo smvh.odo sojs.smo spho.qyo spwr.bjo srnh.lto ssmv.afo sttp.oko svtt.vdo svvi.ffo svvs.dvo syce.xto tabj.xeo tapi.nfo tapp.tfo tdru.fko tftp.msc tftp.nfo tgfm.klo thxr.wgo tkjh.huo tofx.clo trmy.tjo tvqx.joo tydj.odo ubiw.ljo uefu.pho ufem.yto ujvh.dro urwh.djo usmf.vso utam.sxo uvro.uyo uxfo.hvo uxid.juo vbvr.qjo vefh.bko vgdh.dpo vjub.bgo vqto.eko vrpy.dgo vukh.gxo vuxh.nko vxew.dao vxms.suo wdni.buo wjqd.rqo wlmv.kuo wmko.jyo wnhf.cvo wnuc.opo wonv.umo wpvq.gto wrdr.kuo wssf.hgo wtxg.vwo wvtc.cto xbwg.oko xdej.pao xdqp.tbo xlyf.ppo xncs.doo xxsu.ivo xxtr.lro yhre.jpo yhru.tyo yivj.pbo yjhj.ixo ykda.sxo ylse.wyo ylvr.dwo ymmh.byo ynbf.bno yntw.mio yoah.nlo yoyg.guo yprf.wpo ypxb.lvo yron.uno yvoc.hao ywkp.lvo Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The registry is modified to run this copy at each Windows logon as in the following example: Modifies value: "Shell" From data: "explorer.exe" To data: "explorer.exe rundll32.exe <Trojan:Win32/Oficla file> <DLL export name>" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note: <Trojan:Win32/Oficla file> refers to the variable file name being used by the variant in question, while <DLL export name> refers to an export within the trojan DLL being utilized. For example: Modifies value: "Shell" With data: "explorer.exe rundll32.exe tapi.nfo beforeglav" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon The trojan also injects code into the running process "svchost.exe". Payload Downloads and executes arbitrary filesTrojan:Win32/Oficla attempts to download and execute arbitrary files from specified remote hosts. In the wild, Oficla variants have been observed to contact the following remote hosts as a part of this process: 124.217.239.26 193.104.22.61 77.221.153.183 84.19.161.62 87.118.81.62 91.188.59.21 ablegang.com adjamadja.cn adm1n.ru adv.businessmaster.in aervrfhu.ru andige.net antiviruspc-update.com apsight.ru autotradersuk.net avppi.com baksomania2010.ru bankmob1l.cc bizevery.com brainzzz.net buyexplaine.com centralsheep.com client158.faster-hosting.com da-google.com dabubbagump.com dallynews.cn davidbredov.ru davidopolko.ru designfolkov.ru det0xcorp.kz dionada.com dnsresourcecenter.com dosuguss.net ecountertracker.cc elkadoman2.net enzoforfree.ru everybots.com ezsdo.com factoryofgood.ru fernandohuentos.com findactions.net flashvideomovie.com fooofle.ru freesoftware-multimedia.com frogber.com funnylive2010.ru garavangzik.com googga.com hoopforbes.com hulejsoops.ru ieksmanskasdk.com inroyal.info ipv6i.tw itnatcompip.com justmyl.com klirricon.com ks45tn2.cn ldsma.com lightobmen.ru luboydomen.cn magentox.net malahovplus.com marketingsites.info mirikas.cn modsm.com mutant-star.net myldxs.com mylodka.net myxmad.com nebuhai.com netmegasite.net newdaypeace.org nonstopacc.com omega5.cn papaanarhia.cn postfolkovs.ru poteriapoter.com puthere.info republicdemocracy.cn salamangzan.com santorinc.com servhb.com sktdo.com sogom.net solomacosx.org sprutsss.in spuperrrtransfer.com sscanner.ru system-dns.net system-on.com system-resolve.com tomorrrrow.cn topdns24.com topdns241.com topdns341.com umor.uz.ua underskyz.cn uploadfilm1.org vampirizmu.net vanus.biz vertelitt.com vitamelatonin.biz web-pings.net winxpupdate.org wow.telesweet.net www.freecapch.info www.yoookolai.ru xtubez.org yaftop.com yarostt.net ydopr.com zflaersroot.cn Files downloaded and executed by Oficla include additional malware and updates for itself. In the wild, Oficla has been observed downloading and executing members of the following prevalent malware families:
  • Win32/Hiloti - a family of trojans that downloads and executes arbitrary files, and moderates an affected user's online experience.
  • Win32/FakeScanti -a family of trojans that claims to scan for malware and display fake warnings of €œmalicious programs and viruses€. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
  • Win32/Cutwail - a family of trojans which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
  • Win32/Zbot - a family of trojans that steals passwords and allows unauthorized access and control of an affected computer.
  • Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
  • Win32/FakeRean -a family of trojans that claims to scan for malware and display fake warnings of €œmalicious programs and viruses€. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
  • Win32/Sefnit - a family of trojans that moderates an affected user's online experience.
  • Win32/Bamital - a family of trojans that modifies web search queries and display advertisements


  • Analysis by Scott Molenkamp

    Last update 17 May 2010

     

    TOP