Home / malware TrojanDropper:Win32/Oficla.J
First posted on 26 April 2010.
Source: SecurityHomeAliases :
TrojanDropper:Win32/Oficla.J is also known as Win-Trojan/Bredolab.52224.C (AhnLab), W32/Trojan3.BRZ (Authentium (Command)), TR/Spy.ZBot.nbv (AVG), Win32/Bredolab.AAR (CA), Trojan.MulDrop.1.10900 (Dr.Web), Win32/Oficla.FO (ESET), Trojan.Win32.Bredolab (Ikarus), W32/Bredolab.TM (Norman), Trj/Agent.NNC (Panda), Trojan.Win32.FakeMS.ws (Rising AV), Troj/Agent-MVS (Sophos), Trojan.Sasfis (Symantec), WORM_BREDOLAB.CA (Trend Micro).
Explanation :
TrojanDropper:Win32/Oficla.J is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M, a trojan that attempts to inject code into a running process to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti.
Top
TrojanDropper:Win32/Oficla.J is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M, a trojan that attempts to inject code into a running process to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. Installation In the wild, this trojan has been observed to be distributed in spammed e-mail messages as an archive file attachment named " UPS_invoice_<random 4 digit number>.zip". Payload Drops other malwareWhen run, this trojan drops a copy of Trojan:Win32/Oficla.M into the Windows temporary file folder using a random file name and a ".TMP" file extension such as "%TEMP%\e.tmp". The dropped file is then copied as a randomly named file into the Windows system folder such as the following:
<system folder>\lgou.rlo The registry is modified to run this copy at each Windows start as in the following: Modifies value: "Shell"
From data: "explorer.exe" (default value)
To data: "explorer.exe rundll32.exe lgou.rlo mrtiyyb"
Under subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Note: In the above, the data "lgou.rlo mrtiyyb" may change among installations. It also injects code into the running process "svchost.exe" Trojan:Win32/Oficla.M attempts to download other malware such as TrojanDownloader:Win32/FakeScanti from the domain €œpostfolkovs.ru€. Additional InformationFor more information about Trojan:Win32/Oficla.M or TrojanDownloader:Win32/FakeScanti, see the descriptions elsewhere in the encyclopedia.
Analysis by Wei LiLast update 26 April 2010