Threat behavior
Trojan:Win32/Oficla.H is a trojan that attempts to inject code into a running process to download a rogue security program, such as
TrojanDownloader:Win32/FakeScanti.
Installation
Trojan:Win32/Oficla.H may arrive in the system distributed in spammed e-mail messages as an attachment. The attachment is an archive file named "UPS_document_Nr28451.zip". We have observed this malware being distributed with other file names such as the following:
DHL_document_Nr39153.zip
DHL_document_Nr47813.zip
DHL_document_Nr63813.zip
UPS_document_Nr46721.zip
Western_Union_documento_Nr7821.zip
The archive file contains an executable by the same name but with ".EXE" file extension (i.e. "UPS_document_Nr28457.exe") with a file icon matching a Microsoft Word document:
When run, the trojan drops a file with a random file name and ".TMP" file extension into the Windows temporary files folder, for example "
%TEMP%\e.tmp", detected as
Trojan:Win32/Oficla.H!dll. It is then copied as a randomly named file into the Windows system folder such as the following:
<system folder>\aqlb.hjo
The registry is modified to run this copy at each Windows start as in the following example:
Modifies value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe rundll32.exe aqlb.hjo lhoweid"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: In the above, the data "aqlb.hjo lhoweid" may change among installations. The trojan also injects code into the running process "svchost.exe".
Payload
Downloads other malware
Analysis by Wei Li
Prevention