Internet threat level: 1
Home→Descriptions→Trojan.Win32.Oficla.dv
Trojan.Win32.Oficla.dv
| Detected | Aug 24 2010 00:44 GMT |
| Released | Aug 24 2010 07:38 GMT |
| Published | Oct 20 2010 10:35 GMT |
Payload
Removal instructions
Technical Details
This Trojan downloads files from the Internet and launches them without the user’s knowledge or consent. It is a Windows PE EXE file. It is 35840 bytes in size. It is written in C++.
Payload
Once launched, the Trojan will:
- extract the file from its body and save it in the system as
%Temp%\1.tmp %System%\yise.ero
This file is 20480 bytes in size. It is detected by Kaspersky Anti-Virus as "Trojan.Win32.Oficla.dv". It is a dynamic library with a loader’s functionality. - It launches a copy of the "SVCHOST.EXE" process and integrates the executable code of the extracted library into its address space. Using this library the Trojan downloads files from the Internet via the links:
http://www.*****el.biz/nslider4.exe http://1******.103/nsuper64.bin
At the time of writing a file of 145672 bytes was being downloaded via the second link (MD5: 444B2F92DAC15236E1956108E22084B6, SHA1: CF8BCB26AA53B201795029E8621204012AAABD60).The following HTTP requests are also sent:
http://*******egas.ru/web/St/bb.php?v=200&id=603225387&b=24Psihi&tm=1 http://*******egas.ru/web/St/bb.php?v=200&id=603225387&tid=
At the time of writing, in response to both requests the Trojan received the link:
8&b=24Psihi&r=1&tm=2http://********.46/kasuli.exe
The file is also downloaded via the link that is received. A file of 41472 bytes was downloaded (MD5: EDD2DA8CE402545CD58546EBB91339F6, SHA1: B0911988EED0EB24FF794CB88B30E2727C342911).The downloaded files are saved to the current user’s temporary files storage catalogue %Temp% under random names and are run after launching successfully.
- To ensure the library that was extracted earlier launches automatically every time the system is booted, the value of the system registry key is changed:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe rundll32.exe yise.ero mpgyjp"
Even when the system is booted in "safe mode", the "WINLOGON.EXE" process will launch the system utility "rundll32.exe" which loads the Trojan library to its address space and calls the “mpgyjp” function from it. - Additionally, the following system registry keys are created:
[HKLM\Software\Classes\idid] "url1" = "68 74 74 70 3A 2F 2F 61 73 75 73 6D 61 63 2E 6F 72 67 2F 6F 72 69 67 69 6E 61 6C 2F 73 2E 70 68 70 00 00 52 51 91 7C A0 10 08 00 08 00 15 C0 78 E8 07 00 C0 1F 1A 00 FC 1F 1A 00 50 E8 07 00 7D 5D 91 7C B0 1F 1A 00 40 CE 97 7C B4 5D 91 7C 42 CE 97 7C 4" "url2" = "00 00 08 E6 07 00 78 E6 07 00 44 E7 07 00 00 00 00 00 18 00 00 00 03 00 00 00 AC E8 07 00 01 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 2C 03 00 00 D8 E6 07 00 F1 5A 91 7C 03 00 00 01 00 00 00 00 A0 10 08 00 9C E6 07 00 38 E"
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Restore parameter value for the system registry key for the following (What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe"
- Reboot the computer.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following files:
%Temp%\1.tmp %System%\yise.ero
- Delete the files downloaded by the Trojan from the "%Temp%" catalogue.
- Delete the following system registry keys: (see What is a system registry and how do I use it? for details on how to edit the registry):
[HKLM\Software\Classes\idid] "url1" = "68 74 74 70 3A 2F 2F 61 73 75 73 6D 61 63 2E 6F 72 67 2F 6F 72 69 67 69 6E 61 6C 2F 73 2E 70 68 70 00 00 52 51 91 7C A0 10 08 00 08 00 15 C0 78 E8 07 00 C0 1F 1A 00 FC 1F 1A 00 50 E8 07 00 7D 5D 91 7C B0 1F 1A 00 40 CE 97 7C B4 5D 91 7C 42 CE 97 7C 4" "url2" = "00 00 08 E6 07 00 78 E6 07 00 44 E7 07 00 00 00 00 00 18 00 00 00 03 00 00 00 AC E8 07 00 01 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 2C 03 00 00 D8 E6 07 00 F1 5A 91 7C 03 00 00 01 00 00 00 00 A0 10 08 00 9C E6 07 00 38 E"
- Delete all Temporary Internet Files, which may contain infected files (How to delete infected files from Temporary Internet File directory).
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.
Trojan.
- Trojan:
Generic. dx!tns (McAfee) - Troj/Mdrop-CVJ (Sophos)
- Trj/Sinowal.
XFL (Panda) - TrojanDropper:
Win32/Oficla. T (MS(OneCare)) - Trojan.
Oficla. 48 (DrWeb) - Win32/Oficla.
IC trojan (Nod32) - Gen:
Trojan. Heur. UT. cyW@bS8JHVn (BitDef7) - Trojan.
Oficla. BIW (VirusBuster) - Win32:
Trojan-gen (AVAST) - Trojan.
Win32. Oficla (Ikarus) - FakeAV.
CXF (AVG) - TR/Spy.
35840. 86 (AVIRA) - Trojan.
Sasfis (NAV) - W32/Suspicious_Gen2.
BXLCN (Norman) - Trojan.
Win32. Generic. 522A8CFD (Rising) - Trojan.
Win32. Oficla. dv [AVP] (FSecure) - TROJ_OFICLA.
AY (TrendMicro) - Trojan.
Win32. Generic!BT (Sunbelt) - Trojan.
Oficla!0IqnfU7lVLY (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.