Home / malware Trojan.Sasfis.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Sasfis.A is also known as Oficla.
Explanation :
Trojan.Sasfis.A is a dropper distributed as an e-mail attachment called agreement.zip
A mail sample follows:
Dear Facebook user,
Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement,
regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.
Please unzip the attached file and run “agreement.exe” by double-clicking it.
Thanks,
The Facebook Team
When executed, it drops a dll file to two locations:
1. %USERPROFILE%Local SettingsTemp[random digits].tmp
2. %SYSTEM%ifmq.kqo
The dll is injected in a new instance of svchost.exe and scheduled to run with an Asynchronous Procedure Call (APC).
It is also added to the system startup by appending the string "rundll32.exe ifmq.kqo bmhyn" to the registry key
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell"
If a MS Office installation is detected, the malware will try to run a VB script with OLE automation in the context of MS Word's process. Macro execution is enabled by setting two registry keys:
"SoftwareMicrosoftOffice10.0WordSecurityLevel" to 1, and
"SoftwareMicrosoftOffice10.0WordSecurityAccessVBOM" to 1
The VB script simply executes an export of the dll called "plljlt":
Declare Function plljlt Lib "DLL_PATH"(ByVal s AS String) As Long
Where DLL_PATH is the path of the dll in %USERPROFILE%Local SettingsTemp
Trojan.Sasfis.A connects to 193.[removed].91 over HTTP in order to update itself and request additional downloads.
A typical full url is "http://193.[removed].91/limpopo/bb.php?id=975407403&v=200&tm=31&b=300"
It contains, among other things a malware version number and an installation identifier.
The server may respond with "[info]delay:45|upd:0|backurls:[/info]" which means that there are no pending updates and no additional files to download.Last update 21 November 2011
