Threat behavior
Trojan:Win32/Oficla.V is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected machine.
Installation
Trojan:Win32/Oficla.V creates the following file(s) on an affected machine:
<system folder>\<random file name 1> (for example, vryw.kco - detected as Trojan:Win32/Oficla.V
%Temp%\<random file name 2>.tmp - also detected as Trojan:Win32/Oficla.V
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The malware modifies the following registry entry to ensure its component in the <system folder> executes at each Windows start:
Adds value: "Shell"
With data: "explorer.exe rundll32.exe <random file name 1> <random function name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Contacts remote host
Trojan:Win32/Oficla.V may contact a remote host at ptf.messenger-update.su. Commonly, malware may contact a remote host for the following purposes:
- To download and execute arbitrary files (including updates or additional malware)
One such file it has been observed to download is detected as the following:
Analysis by Shawn Wang
Prevention