Threat behavior
Trojan:Win32/Wopla.gen!Y is a generic detection for a Trojan family that acts as a proxy, allowing an attacker to send spam e-mails, some with binary attachments. Trojan:Win32/Wopla.gen!Y may also download, upload and execute files in the affected machine.
Installation
The Trojan may set at least one registry data value.
Adds key with value: "Placeholder_Databr" = <Malware specific binary data>
(e.g., "br.secdep.info" and "br.nulladdress.com")
Within subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
Payload
Relays Spam
Trojan:Win32/Wopla.gen!Y connects to a remote server using TCP port 80 (HTTP), in order to receive spam relay details. In the wild, this Trojan was observed to connect with a server named 'br.secdep.info'.
Downloaded spam relay configuration files may use the following file names:
sc_log.dat
sm_log.dat
st_log.dat
Downloads and Executes Arbitrary Files
Trojan:Win32/Wopla.gen!Y may download, upload and execute files on the affected machine.
Additional Information
Trojan:Win32/Wopla.gen!Y may create a random mutual exclusion object (Mutex) while the Trojan is running, such as 'rbr_wfdfdsayterdsffsfsdddaystreyretaoyrt'.
Prevention