My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Dropper.Oficla.P

MEDIUM
MEDIUM
~70 kB
(TrojanDropper:Win32/Oficla.G, Trojan.Oficla.45, Trojan.Sasfis)

Symptoms

Various notifications that the system is infected.

Presence of the files and the registry entries modifications from technical section.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Andrei DAMIAN-FEKETE, virus researcher

Technical Description:

Usually it comes as an e-mail attachment having a PDF document icon or Microsoft Office Word document icon.

When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2 or Trojan.Oficla.T. To ensure that the dropped dll will be active at each system startup it will modify in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key the following value as:
Shell = Explorer.exe rundll32.exe pgsb.lto csxyfxr

pgsb.lto csxyfxr parameters for rundll32.exe may change with newer versions.

The DLL will be injected in a newly created svchost.exe process, after which the trojan will delete itself.

Depending on installed version the dll component will access different sites, usually form Rusia (davidopolko.ru, postfolkovs.ru) from which will retrieve a link to another executable (Trojan.Downloader.ABBL). Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD.

In case of a succesfull download and installation additional modifications are made in the system:

[HKCU\Software\Microsoft\Internet Explorer\PhishingFilter]

Enabled = 0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 1

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

smss32.exe = %system%\smss32.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

Security essentials 2010 = %program_files%\Securityessentials2010\SE2010.exe