Threat behavior
Installation
Trojan:Win32/Oficla.G may have been distributed in a spammed e-mail message as a file attachment. The file attachment may be named "balancechecker.zip" and contain an executable named "balancechecker.exe". The message may resemble the one below:
From: <support|no-reply|verizon><@verizonwireless.com>
Subject: Your credit balance is over its limit
Attachment: balancechecker.zip (balancechecker.exe)
Dear Verizon Wireless customer,
Your credit balance is over its limit. Please use the attached Verizon Wireless Balance Checker Tool to review and analyze your payments.
Yours sincerely,
Verizon Wireless Customer Services
When executed, Trojan:Win32/Oficla.G drops a DLL into the %TEMP% directory as a file with .TMP file extension, then registers the dropped component as a COM object (this DLL file is detected as
Trojan:Win32/Oficla.E). Win32/Oficla.G launches the Windows system executable "
svchost.exe" to activate the DLL component. Win32/Oficla.G then copies Trojan:Win32/Oficla.E to the Windows system directory as "
ifmq.kqo" and modifies the registry to execute it when Windows starts.
Adds value: "Shell"
With data: "explorer.exe rundll32.exe ifmq.kqo bmhyn"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Downloads arbitrary files
This version of Trojan:Win32/Oficla.E attempts to download other malware from the IP address "193.104.27.91".
Analysis by Patrick Nolan & Shali Hsieh
Prevention
