Home / malware Trojan:Win32/Oficla.V
First posted on 13 August 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Oficla.V is also known as Trojan.Win32.Jorik.Oficla.ar (Kaspersky), TR/Sasfis.O (Avira), Trojan.Sasfis.O (BitDefender), Win32/Oficla.JO (CA), Trojan.Oficla.48 (Dr.Web), Win32/Oficla.HZ (ESET), Trojan.Win32.Jorik (Ikarus), Trojan.Win32.Sasfis.a (Sunbelt Software).
Explanation :
Trojan:Win32/Oficla.V is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected machine.
Top
Trojan:Win32/Oficla.V is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected machine. InstallationTrojan:Win32/Oficla.V creates the following file(s) on an affected machine:<system folder>\<random file name 1> (for example, vryw.kco - detected as Trojan:Win32/Oficla.V %Temp%\<random file name 2>.tmp - also detected as Trojan:Win32/Oficla.V Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. The malware modifies the following registry entry to ensure its component in the <system folder> executes at each Windows start:Adds value: "Shell"
With data: "explorer.exe rundll32.exe <random file name 1> <random function name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Payload Contacts remote hostTrojan:Win32/Oficla.V may contact a remote host at ptf.messenger-update.su. Commonly, malware may contact a remote host for the following purposes:To download and execute arbitrary files (including updates or additional malware)
One such file it has been observed to download is detected as the following: TrojanProxy:Win32/Slenugga.A
Analysis by Shawn WangLast update 13 August 2010