Home / malware Trojan:Win32/Oficla.AC
First posted on 27 November 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Oficla.AC is also known as W32/Trojan3.CHW (Authentium (Command)), Trojan.Win32.Oficla.ayq (Kaspersky), Trojan.Oficla!dhIWKorC2oo (VirusBuster), Trojan horse Cryptic.BFT (AVG), TR/Spy.ZBot.NW (Avira), Trojan.Generic.5063183 (BitDefender), Win32/Bamital.BD (CA), Trojan.MulDrop1.52139 (Dr.Web), Win32/Oficla.JB (ESET), Trojan.Win32.Oficla (Ikarus), W32/Pinkslipbot.gen.w (McAfee), Bck/Qbot.AO (Panda), Mal/Oficla-A (Sophos), Trojan.Win32.Generic.pak!cobra (Sunbelt Software), Trojan.Sasfis (Symantec), TROJ_OFICLA.TAG (Trend Micro) more.
Explanation :
Trojan:Win32/Oficla.AC is a trojan that attempts to contact a remote server to download and execute arbitrary files. In the wild, it has been observed downloading TrojanDropper:Win32/Bamital.C, which in turn infects the compromised system with Virus:Win32/Bamital.C.
Top
Trojan:Win32/Oficla.AC is a trojan that attempts to contact a remote server to download and execute arbitrary files. In the wild, it has been observed downloading TrojanDropper:Win32/Bamital.C, which in turn infects the compromised system with either Virus:Win32/Bamital.C or Virus:Win32/Bamital.H. Installation Trojan:Win32/Oficla.AC arrives as an email attachment. Below are some samples of emails found to be carrying this malware. The attachment is a ZIP archive containing a Trojan:Win32/Oficla.AC binary with the same name as the ZIP archive but with an ".EXE" file extension. The malware also mimics the Microsoft Excel icon such that when a user views the file in Windows Explorer, they might think they are opening an Office document. Below are snapshots of some malware samples viewed in Windows Explorer: Upon execution, this malware drops a copy of itself in the Windows System folder using a hardcoded name that follows the format: <system folder>\<4 alphabetical characters>.<3 alphabetical characters> Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Listed below are some of the names found to be used by Trojan:Win32/Oficla.AC: aflx.ato cdbu.euo goap.cmo hjdt.qto htqy.nao hyen.rho ipch.ygo jiuh.mjo jssl.joo jthv.oao jxvy.dio kine.bwo lncl.wbo lymj.qgo nxqm.uyo pcqr.rvo rraq.kdo slia.ofo thxi.ixo ubwi.wlo uiye.cso vkot.ujo xfsf.jqo xupw.pdo The trojan creates a mutex and gives it a name that is also hardcoded in the malware body. The mutex name is comprised of 17-18 alphanumerical characters. Below are some examples of mutex names used by Trojan:Win32/Oficla.AC: 111936669542b82e27 12692285214ba6e3e9 13421855665000205e 14014840905388f33a 162601401860eb0142 18311354196d24e8bb 18436875656de4708d 21312817717f08c76b 23366501028b467376 26554195149e467c7a 2827828871a88d3e87 3218159617bfd13801 3518230204d1b3eebc 3522918577d1fb78b1 3546662287d365c58f 3688289087dbd6d33f 3812628095e340167f 3948371611eb575e9b 3998653920ee569de0 4006816705eed32bc1 4163727901f82d721d 58760387623061fa4 7667407742db38926 88186920334904193 Trojan:Win32/Oficla.AC is capable of starting itself every time the computer reboots. It accomplishes this by replacing the data of the following registry value: In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Modifies value: "Shell" From data: "<original data>" To data: "Explorer.exe rundll32.exe <malware filename> <malware function name>" For example: In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Modifies value: "Shell" From data: "<original data>" To data: "Explorer.exe rundll32.exe jthv.oao whbkjlj" In addition, Trojan:Win32/Oficla.AC also drops a copy of itself into the user's Temporary directory %TEMP%\<random alphanumeric characters>.tmp It tries to launch a legitimate instance of the service host process (svchost.exe) and injects the *.TMP copy of itself into it. Payload Downloads and executes arbitrary files Trojan:Win32/Oficla.AC attempts to download and execute arbitrary files from specified remote hosts. In the wild, we have observed the trojan to contact the following remote hosts as part of this process: biznes-lab.info exfacebooks.com fary5monn.info gruzakk.com logstime.com matchpassion.net mediamoon.ru nuzno.us olgashelest.ru showtimeru.ru thegoodbox.com unknown-garbage.com webauc.ru wvw.aol-serv.net In one instance, it was observed downloading and installing TrojanDropper:Win32/Bamital.C, which in turn infects the compromised system with either Virus:Win32/Bamital.C or Virus:Win32/Bamital.H.
Analysis by Gilou TenebroLast update 27 November 2010
