Home / malware Trojan:Win32/Oficla.H
First posted on 22 February 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Oficla.H is also known as Trojan.Oficla.5 (Dr.Web), Win32/Oficla.DB (ESET), Trojan.Win32.Bredolab (Ikarus), FakeAlert-SpyPro.gen.b (McAfee), Troj/Bredo-AN (Sophos), Trojan.Bredolab (Symantec), TROJ_FAKEAL.SMDP (Trend Micro).
Explanation :
Trojan:Win32/Oficla.H is a trojan that attempts to inject code into a running process to download a rogue security program, such as TrojanDownloader:Win32/FakeScanti.
Top
Trojan:Win32/Oficla.H is a trojan that attempts to inject code into a running process to download a rogue security program, such as TrojanDownloader:Win32/FakeScanti. Installation Trojan:Win32/Oficla.H may arrive in the system distributed in spammed e-mail messages as an attachment. The attachment is an archive file named "UPS_document_Nr28451.zip". We have observed this malware being distributed with other file names such as the following: DHL_document_Nr39153.zip
DHL_document_Nr47813.zip
DHL_document_Nr63813.zipUPS_document_Nr46721.zip
Western_Union_documento_Nr7821.zip The archive file contains an executable by the same name but with ".EXE" file extension (i.e. "UPS_document_Nr28457.exe") with a file icon matching a Microsoft Word document: When run, the trojan drops a file with a random file name and ".TMP" file extension into the Windows temporary files folder, for example "%TEMP%\e.tmp", detected as Trojan:Win32/Oficla.H!dll. It is then copied as a randomly named file into the Windows system folder such as the following: <system folder>\aqlb.hjo The registry is modified to run this copy at each Windows start as in the following example: Modifies value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe rundll32.exe aqlb.hjo lhoweid"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note: In the above, the data "aqlb.hjo lhoweid" may change among installations. The trojan also injects code into the running process "svchost.exe". Payload Downloads other malwareTrojan:Win32/Oficla.H attempts to download other malware such as TrojanDownloader:Win32/FakeScanti, from the domain €œapsight.ru€.
Analysis by Wei LiLast update 22 February 2010