My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~70 kB
(TrojanDropper:Win32/Oficla.G, Trojan.Oficla.45, Trojan.Sasfis)


Various notifications that the system is infected.

Presence of the files and the registry entries modifications from technical section.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Andrei DAMIAN-FEKETE, virus researcher

Technical Description:

Usually it comes as an e-mail attachment having a PDF document icon or Microsoft Office Word document icon.

When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2 or Trojan.Oficla.T. To ensure that the dropped dll will be active at each system startup it will modify in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key the following value as:
Shell = Explorer.exe rundll32.exe pgsb.lto csxyfxr

pgsb.lto csxyfxr parameters for rundll32.exe may change with newer versions.

The DLL will be injected in a newly created svchost.exe process, after which the trojan will delete itself.

Depending on installed version the dll component will access different sites, usually form Rusia (, from which will retrieve a link to another executable (Trojan.Downloader.ABBL). Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD.

In case of a succesfull download and installation additional modifications are made in the system:

[HKCU\Software\Microsoft\Internet Explorer\PhishingFilter]

Enabled = 0


DisableTaskMgr = 1


smss32.exe = %system%\smss32.exe


Security essentials 2010 = %program_files%\Securityessentials2010\SE2010.exe