Trojan.Dropper.Oficla.O
Various notifications that the system is infected
Presence of the files and registry entries modifications from technical section
Please let BitDefender disinfect your files.
Usually it comes as an e-mail attachment having a fake MS Office Word Document icon.
When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2. To ensure that the dll will be active at each system startup it will add the following registry key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell = Explorer.exe rundll32.exe random_dll random_api - where random_dll and random_api may change with newer versions(e.g. pgsb.lto csxyfxr)
The dll will be injected in a svchost.exe process, then the trojan will delete itself
Depending on installed version the dll component will access different sites, usually form Rusia (davidopolko.ru, postfolkovs.ru) from which will retrieve a link to another executable (Trojan.Downloader.ABBL). Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD
In case of a succesfull download and installation additional modifications are made in the system:
[HKCU\Software\Microsoft\Internet Explorer\PhishingFilter] Enabled = 0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr = 1
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] smss32.exe = %system%\smss32.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Security essentials 2010 = %program_files%\Securityessentials2010\SE2010.exe
SHARE
THIS ON