Home / malware Trojan:Win32/Oficla.T
First posted on 17 September 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Oficla.T is also known as Trojan-Spy.Win32.Wemon.qo (Kaspersky), Trojan.FakeAV (Symantec).
Explanation :
Trojan:Win32/Oficla.T is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Top
Trojan:Win32/Oficla.T is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Installation Trojan:Win32/Oficla.T modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "start 1"
With data: "<malware file>.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run Payload Modifies system security settings Trojan:Win32/Oficla.T adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modification:
Adds value: "<malware file>.exe"
With data: "<malware file>.exe:*:enabled:ldrsoft"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Contacts remote hostThe malware may contact a remote host at dns-requests.com using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 12fb71772d66925d61786f630674f864c0a9e0a9.Last update 17 September 2010
