English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan.Win32.Oficla.w

Trojan.Win32.Oficla.w

Detected Apr 26 2010 21:24 GMT
Released Apr 27 2010 03:50 GMT
Published Jul 07 2010 11:08 GMT

Technical Details
Payload

Technical Details

This malicious program is intended for the unauthorized downloading and launching of other malware on a computer.

Installation

When launched, the malicious program extracts from itself and creates a windows file in the system folder which is a dynamic-link library (.dll file) containing the following main malicious features: 

%system%\thxr.wgo
To ensure that it is launched automatically when the system is rebooted, the Trojan adds a link to the created file to the system registry autorun key: 
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe rundll32.exe thxr.wgo nwfdtx"


Payload

When installed the program contacts the command server: 

http://hu*********.ru /images/bb.php
where it receives the command line with the following commands and parameters: 
"runurl"
- downloads the file to the %temp% folder using the indicated url and launches it. 
"taskid"
– indicates the task number. 
"delay"
– indicates the period the server was contacted. 
"backurls"
– a list of additional addresses of command servers which the malicious program then connects to. Addresses are saved in the registry key: 
[HKL\SOFTWARE\Classes\idid]
"reporturls"
– after this command the program contacts additional command servers to receive other commands.

Thus, the actions of this program may lead to the installation of other malware on the computer. At the time of writing, the program was receiving a command to download and launch the file: 

http://russ**nmomds.ru/dogma.exe
The criminal may also use these commands to continually re-customize the malicious program to be used on new command servers.



Print
Bookmark and Share
Share
Trojans
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions
Trojan.Win32.Oficla.dv

Aliases

Trojan.Win32.Oficla.w (Kaspersky Lab) is also known as:

  • Trojan.Win32.Agent.duxv (Kaspersky Lab)
  • Trojan: SpyAgent-br.dll (McAfee)
  • Troj/Agent-NVL (Sophos)
  • Trojan.Oficla-2 (ClamAV)
  • Trj/Sinowal.XDN (Panda)
  • Trojan:Win32/Oficla.AC (MS(OneCare))
  • Trojan.Oficla.38 (DrWeb)
  • Win32/Oficla.GN trojan (Nod32)
  • Trojan.Oficla.S (BitDef7)
  • Trojan.Agent!vEYjCP77qRo (VirusBuster)
  • Trojan.Agent!5VMN/3xzNcY (VirusBuster)
  • Win32:Oficla-AI [Trj] (AVAST)
  • Trojan.Win32.Oficla (Ikarus)
  • TR/Spy.Inject.L (AVIRA)
  • Trojan.Sasfis (NAV)
  • W32/Oficla.FJ (Norman)
  • Trojan.Win32.Generic.52045F9B (Rising)
  • Trojan.Win32.Generic.520335E3 (Rising)
  • Trojan.Win32.Oficla.w [AVP] (FSecure)
  • TROJ_DLOADR.SMVE (TrendMicro)
  • Trojan.Agent!vEYjCP77qRo (VirusBusterBeta)
  • Trojan.Agent!5VMN/3xzNcY (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search