My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Dropper.Oficla.O

MEDIUM
MEDIUM
~80KB

Symptoms

Various notifications that the system is infected

Presence of the files and registry entries modifications from technical section

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

       Usually it comes as an e-mail attachment having a fake MS Office Word Document icon.

      When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2. To ensure that the dll will be active at each system startup it will add the following registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]  Shell = Explorer.exe rundll32.exe random_dll random_api            -  where random_dll and random_api may change with newer versions(e.g.  pgsb.lto csxyfxr)

      The dll will be injected in a svchost.exe process, then the trojan will delete itself

       Depending on installed version the dll component will access different sites, usually form Rusia    (davidopolko.rupostfolkovs.ru) from which will retrieve a link to another executable (Trojan.Downloader.ABBL).  Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD

        In case of a succesfull download and installation additional modifications are made in the system:

[HKCU\Software\Microsoft\Internet Explorer\PhishingFilter] Enabled = 0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr = 1

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  smss32.exe  = %system%\smss32.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Security essentials 2010 = %program_files%\Securityessentials2010\SE2010.exe