Home / malware Trojan:Win32/Oficla.X
First posted on 30 August 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Oficla.X is also known as Trojan.Agent.YITS (VirusBuster), Trojan horse Generic18.BEBY (AVG), Gen:Trojan.Heur.GZ.cqX@b4fUXDcc (BitDefender), Trojan.Siggen1.63948 (Dr.Web), Win32/TrojanDownloader.FakeAlert.FL (ESET), Trojan.Win32.Agent.etcp (Kaspersky), Generic.dx!thb (McAfee), Trojan.Win32.Generic.522453AB (Rising AV), Trojan.Win32.Generic!BT (Sunbelt Software), PAK_Generic.001 (Trend Micro).
Explanation :
Trojan:Win32/Oficla.X is a detection for malware that executes commands from a remote server, which may lead it to download additional malware.
Top
Trojan:Win32/Oficla.X is a detection for malware that executes commands from a remote server, which may lead it to download additional malware. Installation Trojan:Win32/Oficla.X replaces "%windir%\system32\userinit.exe" with itself to execute at each system start), and backs up the original "userinit.exe" as "%windir%\system32\userinitxx.exe". Trojan:Win32/Oficla.X modifies the following registry entry to make itself bypass Windows Firewall: Adds value: "<Malware file path>" With data: "<Malware file name>:*:enabled:ldrsoft" Under key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Payload Connects to remote server Trojan:Win32/Oficla.X tries to connect to a remote server to report infection and retrieve commands to execute. In the wild, we have observed the trojan attempting to connect to http://ip-dns-hosting.com. Downloads and executes arbitrary files Depending on the commands retrieved, Trojan:Win32/Oficla.X may d ownload and execute additional files from a remote server. In the wild, we have observed the trojan downloading the following file:
%AppData%\download\svcnost.exe - detected as Trojan:Win32/Oficla.T Note: %AppData% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the AppData folder for Windows 2000 and NT is C:\Documents and Settings\<user>\Application Data; and for XP, Vista, and 7 is C:\Users\<user>\AppData\Roaming.
Analysis by Shawn WangLast update 30 August 2010
