Threat behavior
TrojanDropper:Win32/Oficla.V is a detection for malware that drops and loads payload components of
Win32/Oficla.
Installation
TrojanDropper:Win32/Oficla.V may arrive on the computer by email as LABEL_USPSXLS.exe in an archive file named USPSLabel.zip.
TrojanDropper:Win32/Oficla.V modifies following registry entries:
In subkey: HKCU\Software\Microsoft\Office\11.0\Word\Security
Sets value : "AccessVBOM"
With data: "1"
In subkey HKCU\Software\Microsoft\Office\11.0\Word\Security
Sets value: "Level"
With data: "1"
TrojanDropper:Win32/Oficla.V loads the dropped payload file into a new instance of svchost.exe by injecting code and queuing asynchronous procedure calls (APC). The trojan dropper copies the payload as the following file:
<system folder>\<random file name> - for example, <system folder>\bfky.ojo
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The registry is modified to run the payload component at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe rundll32.exe <payload dropped under system folder> <export function name of payload>"
For example, "explorer.exe rundll32.exe bfky.ojo bwapp"
Payload
Drops other malware
TrojanDropper:Win32/Oficla.V drops its payload component as %TEMP%\<random file name>.tmp, which is detected as Trojan:Win32/Oficla.V.
Analysis by Shawn Wang
Prevention