Trojan:Win32/Oficla.M is a trojan that attempts to inject code into a running process to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. Installation
Trojan:Win32/Oficla.M is a detection for both the dropper executable and the dropped DLL. In the wild, this trojan has been observed to be distributed in spammed e-mail messages as an attachment. The attachment is an archive file with either one of these names:
- "Facebook details <random 3 or 4 digit number>.zip"
- "Facebook password <random 3 or 4 digit number>.zip"
- "Facebook document <random 3 or 4 digit number>.zip"
The attachment contains an executable with the same name as the archive. The spammed e-mail message resembles one of the following:
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: Facebook Password Reset Confirmation! Important Message
Attachment: Facebook password 357.zip (Facebook password 357.exe)
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: Facebook Password Reset Confirmation NR.7131
Attachment: Facebook document 674.zip (Facebook document 674.exe)
Hey <recipient> ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
The Facebook Team
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: Facebook Password Reset Confirmation NR.83008
Attachment: Facebook details 3472.zip (Facebook details 3472.exe)
Hey <recipient> ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
The Facebook Team.
When run, the trojan drops a copy of itself into the Windows Temporary Files folder as a file name with a random number and a ".TMP" file extension such as "%TEMP%\1.tmp". The dropped copy is then executed, which queues a User Asynchronous Procedure Call (APC) to "svchost.exe" so that while "svchost.exe" is running, the malicious APC is called.
The trojan is then copied with a filename that differs according to minor variant into the Windows system folder. We have observed the following filenames being used in this way in the wild:
- ffxl.hmo
- mjbf.xlo
- obij.vco
- ohov.fxo
- wrdr.kuo
- ylvr.dwo
- nnfj.tqo
The registry is modified to run this copy at each Windows start as in the following example:
Modifies value: "Shell"
With data: "explorer.exe rundll32.exe ffxl.hmo vhoyog"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: In the above, the data "ffxl.hmo vhoyog" may change among minor variants of this trojan.
Payload
Downloads other malware
- yoookolai.ru
- autotradersuk.net
- da-google.com
- client158.faster-hosting.com
- garavangzik.com
- autotradersuk.net
Analysis by Marian Radu