Trojan.Win32.Oficla.dv

tag:Trojan Oficla

0 0

This Trojan downloads files from the Internet and launches them without the user’s knowledge or consent. It is a Windows PE EXE file. It is 35840 bytes in size. It is written in C++.

Once launched, the Trojan will:

extract the file from its body and save it in the system as
```
%Temp%\1.tmp
%System%\yise.ero
```
This file is 20480 bytes in size. It is detected by Kaspersky Anti-Virus as "Trojan.Win32.Oficla.dv". It is a dynamic library with a loader’s functionality.
It launches a copy of the "SVCHOST.EXE" process and integrates the executable code of the extracted library into its address space. Using this library the Trojan downloads files from the Internet via the links:
```
http://www.*****el.biz/nslider4.exe
http://1******.103/nsuper64.bin
```
At the time of writing a file of 145672 bytes was being downloaded via the second link (MD5: 444B2F92DAC15236E1956108E22084B6, SHA1: CF8BCB26AA53B201795029E8621204012AAABD60).
The following HTTP requests are also sent:
```
http://*******egas.ru/web/St/bb.php?v=200&id=603225387&b=24Psihi&tm=1
http://*******egas.ru/web/St/bb.php?v=200&id=603225387&tid=
8&b=24Psihi&r=1&tm=2
```
At the time of writing, in response to both requests the Trojan received the link:
```
http://********.46/kasuli.exe
```
The file is also downloaded via the link that is received. A file of 41472 bytes was downloaded (MD5: EDD2DA8CE402545CD58546EBB91339F6, SHA1: B0911988EED0EB24FF794CB88B30E2727C342911).
The downloaded files are saved to the current user’s temporary files storage catalogue %Temp% under random names and are run after launching successfully.
To ensure the library that was extracted earlier launches automatically every time the system is booted, the value of the system registry key is changed:
```
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe rundll32.exe yise.ero mpgyjp"
```
Even when the system is booted in "safe mode", the "WINLOGON.EXE" process will launch the system utility "rundll32.exe" which loads the Trojan library to its address space and calls the “mpgyjp” function from it.

Additionally, the following system registry keys are created:

[HKLM\Software\Classes\idid]
"url1" = "68 74 74 70 3A 2F 2F 61 73 75 73 6D 61 63 2E 6F 72 67
2F 6F 72 69 67 69 6E 61 6C 2F 73 2E 70 68 70 00 00 52 51 91 7C 
A0 10 08 00 08 00 15 C0 78 E8 07 00 C0 1F 1A 00 FC 1F 1A 00 50 E8 
07 00 7D 5D 91 7C B0 1F 1A 00 40 CE 97 7C B4 5D 91 7C 42 CE 97 7C 4"
"url2" = "00 00 08 E6 07 00 78 E6 07 00 44 E7 07 00 00 00 00 00 18 00 
00 00 03 00 00 00 AC E8 07 00 01 00 00 00 03 00 00 00 02 00 00 00 01 
00 00 00 00 00 00 00 00 00 00 00 2C 03 00 00 D8 E6 07 00 F1 5A 91 7C 
03 00 00 01 00 00 00 00 A0 10 08 00 9C E6 07 00 38 E"

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Restore parameter value for the system registry key for the following (What is a system registry and how do I use it?):
```
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe"
```
Reboot the computer.
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following files:
```
%Temp%\1.tmp
%System%\yise.ero
```
Delete the files downloaded by the Trojan from the "%Temp%" catalogue.

Delete the following system registry keys: (see What is a system registry and how do I use it? for details on how to edit the registry):

[HKLM\Software\Classes\idid]
"url1" = "68 74 74 70 3A 2F 2F 61 73 75 73 6D 61 63 2E 6F 72 67 2F 
6F 72 69 67 69 6E 61 6C 2F 73 2E 70 68 70 00 00 52 51 91 7C A0 10 
08 00 08 00 15 C0 78 E8 07 00 C0 1F 1A 00 FC 1F 1A 00 50 E8 07 00 
7D 5D 91 7C B0 1F 1A 00 40 CE 97 7C B4 5D 91 7C 42 CE 97 7C 4"
"url2" = "00 00 08 E6 07 00 78 E6 07 00 44 E7 07 00 00 00 00 00 18 
00 00 00 03 00 00 00 AC E8 07 00 01 00 00 00 03 00 00 00 02 00 00 
00 01 00 00 00 00 00 00 00 00 00 00 00 2C 03 00 00 D8 E6 07 00 F1 
5A 91 7C 03 00 00 01 00 00 00 00 A0 10 08 00 9C E6 07 00 38 E"

Delete all Temporary Internet Files, which may contain infected files (How to delete infected files from Temporary Internet File directory).
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

previous:Conficker.C
Next:none

Virus Source from:http://www.securelist.com/

New articles

Trojan.Win32.Oficla.dvThis Trojan downloads files from the Internet and launches them without the user’s knowledge or consent. It is a Windows PE EXE file. It is 35840 byte...Conficker.CIt exploits the vulnerability MS08-067 in the Windows Server Service in order to spread itself. It also spreads through shared and removable drives. It reduces ...Downloader.MDW It reduces the security level of the computer: it notifies the attacker that the computer has been compromised and is ready to be used maliciously; it chan...Trojan.Downloader.WMA.Wimad.ZThis is another copy of the Trojan.Downloader.Wimad.A . It behaves in a similar way and even downloads from the same webpage ( hxxp://missing-codecs.net ) which...Trojan.Downloader.WMA.Wimad.SThis is another copy of the Trojan.Downloader.Wimad.A . It behaves in a similar way and even downloads from the same webpage ( www.fastmp3player.com ) which mea...

Hot Articles

Trojan.Win32.Oficla.dv

Removal instructions

Computer Virus Clounds