Home / malware

PDF

Trojan.Dropper.Oficla.O

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Dropper.Oficla.O.

Explanation :

Usually it comes as an e-mail attachment having a fake MS Office Word Document icon.

When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2. To ensure that the dll will be active at each system startup it will add the following registry key:

[HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon] Shell = Explorer.exe rundll32.exe random_dll random_api - where random_dll and random_api may change with newer versions(e.g. pgsb.lto csxyfxr)

The dll will be injected in a svchost.exe process, then the trojan will delete itself

Depending on installed version the dll component will access different sites, usually form Rusia (davidopolko.ru, postfolkovs.ru) from which will retrieve a link to another executable (Trojan.Downloader.ABBL). Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD

In case of a succesfull download and installation additional modifications are made in the system:

[HKCUSoftwareMicrosoftInternet ExplorerPhishingFilter] Enabled = 0

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem] DisableTaskMgr = 1

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] smss32.exe = %system%smss32.exe

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun] Security essentials 2010 = %program_files%Securityessentials2010SE2010.exe

Last update 21 November 2011

 

TOP