Threat behavior
TrojanDropper:Win32/Oficla.H is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M. This Win32/Oflicla variant attempts to connect with a remote host and download a configuration data file that instructs the trojan to retrieve other malware from additional download locations.
Installation
When run, TrojanDropper:Win32/Oficla.H drops a trojan component as the following:
<system folder>\nynm.wmo - Trojan:Win32/Oficla.M
The registry is modified to execute the dropped component at Windows start.
Sets value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe rundll32.exe nynm.wmo mynleeq"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Downloads arbitrary files
The installed trojan Win32/Oficla.M may inject code into the running process "SVCHOST.exe" that attempts to download a script from the domain "baksomania2010.ru". The script is used by the trojan to visit the domain "comptoirdelhomme.com" and download arbitrary files.
At the time of this writing, the downloaded malware is detected as TrojanSpy:Win32/Sodast.A.
Analysis by Dan Kurc
Prevention