Trojan:Win32/Oficla.AH is a trojan that searches for certain strings that suggests a user accesses certain online financial institutions and attempts to communicates this with a remote server. The trojan may also attempts to download arbitrary files.
Installation
In the wild, this trojan was observed to be distributed in spam email as an attachment, as in the following examples:
Trojan:Win32/Oficla.AH may have a file icon that resembles a PDF file:
When run, it creates a mutex named "zentoworld_07753191_dada" to prevent more than one instance of the trojan from executing at a time. Trojan:Win32/Oficla.AH drops a copy of itself as the following:
%APPDATA%\<32 random alphanumeric characters>\csrss.exe
For example:
C:\Documents and Settings\Administrator\Application Data\ucdk3oa3fhveifyvnoh3vp1bjgkdtlu2\csrss.exe
The registry is modified to run the trojan at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
From data: "<original data>" such as "explorer.exe”
To data: "explorer.exe "<path of Trojan:Win32/Oficla.AH>\csrss.exe""
This variant of Win32/Oficla attempts to avoid executing within the following virtualization and sandbox technologies:
Anubis
CWSandbox
JoeBox
Parallels
Sandboxie
ThreatExpert
VMWare
Virtual Box
The trojan also checks that the current user or computer name does not match a list of possible sandbox user or computer names.
Payload
Bypasses Windows firewall
This trojan bypasses Windows firewall by modifying the registry to add an exception.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "<path of Trojan:Win32/Oficla.AH file>"
With data: "<Trojan:Win32/Oficla.AH file>:*:enabled:ldrsoft"
Disables security application
Trojan:Win32/Oficla.AH checks for the presence of Trusteer's Rapport, an online banking security application. If the trojan locates the security software in the affected system, it attempts to overwrite the following files, resulting in disabling them:
%ProgramFiles%\Trusteer\Rapport\js\config.js
%ProgramFiles%\Trusteer\Rapport\bin\RapportService.exe
%ProgramFiles%\Trusteer\Rapport\bin\RapportMgmtService.exe
Searches for online financial transaction activity
Trojan:Win32/Oficla.AH searches within web browser cookies and Internet cache for the following URIs and query strings:
.anz.com
/bsi.dll
bankofcyprus.com
capitalone.com
cedacri.it
chase.com
commbank.com.au
commerzbanking.de
csebo.it
deutsche-bank.de
finanzportal.fiducia.de
gruppocarige.it
ibank.alfabank.ru
laiki.com
libertyreserve.com
online.westpac.com.au
payment.ru
perfectmoney.com
postbank.de
poste.it
sparkasse.de
stgeorge.com.au
suncorpbank.com.au
targobank.de
The trojan uses the above strings to determine if Internet transactions occur with the listed online financial institutions and to report the information to a remote server. In the wild, this trojan was observed to communicate with the following remote servers:
Downloads and executes arbitrary files
This malware is capable of executing commands received from a control server, such as downloading and executing arbitrary files. At the time of writing, these sites were not reachable so further investigation on the server responses could not be made.
Additional Information
Trojan:Win32/Oficla.AH modifies a configuration file "%windir%\win.ini" by appending some of its data for storage. This trojan also creates additional registry data.
In subkey: HKCU\Software\Microsoft
Sets value: "setiasworld"
With data: "<identifier>" for example: "l3f3nqskzhmigfqkdqtytwkesybr2fz"
Analysis by Gilou Tenebro
