Send us feedback
Thank you for your feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Win32/Oficla
Published May 10, 2010
|
Updated Aug 22, 2017
Win32/Oficla
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases
Summary
Win32/Oficla is a familiy of trojans that attempts to inject code into running processes in order to download and execute arbitrary files. In the wild, we have observed variants of this family downloading and installing several different malware families, including Win32/FakeScanti and Win32/Cutwail.
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Threat behavior
Win32/Oficla is a familiy of trojans that attempts to inject code into running processes in order to download and execute arbitrary files. In the wild, we have observed variants of this family downloading and installing several different malware families, including Win32/FakeScanti and Win32/Cutwail.
Win32/Oficla consists of several components, including an executable trojan dropper component that installs a DLL trojan component that then performs the downloading payload.
Installation
Win32/Oficla is often distributed attached to spammed e-mail messages. For example, we have observed several variants being spammed in attachments that use one of the following file names:
- UPS_document_Nr28451.zip
- DHL_document_Nr39153.zip
- Western_Union_documento_Nr7821.zip
The archive (zip) file contains an executable with the same name but with an ".EXE" file extension (e.g. UPS_document_Nr28457.zip would contain UPS_document_Nr28457.exe). The file may use the Microsoft Word or Microsoft Excel document icon.
When run, the trojan drops a DLL file with a randomly generated file name and a ".TMP" file extension into the Windows temporary files folder (for example "%TEMP%\e.tmp"). This file may be detected as Trojan:Win32/Oficla. It is then copied using a variable file name into the Windows system folder (for example <system folder>\tapi.nfo). We have observed the following file names being used by the Win32/Oficla family in this manner:
abcd.efo
abcd.mjo
abfw.xgo
adcc.puo
afhj.hko
ahwa.ulo
ajhg.kqo
ajoa.nwo
ajoj.pso
akhr.vfo
amau.mso
amht.xfo
amuw.bho
aqlb.hjo
asqd.qxo
avuw.xbo
awxm.vho
bfro.fto
bfwc.bwo
bfwl.pgo
bgwj.sdo
bjoj.pko
bjor.lio
bnis.mxo
bnjp.uco
brjw.gvo
bvsn.dyo
bwsb.gio
byly.jgo
byri.leo
cagj.mmo
calc.ifo
cbhr.uco
cdav.ixo
ckrt.dho
codf.ouo
cpcp.cpo
cvqh.hro
cwjv.wmo
dayu.oro
dcbs.hxo
dccd.mro
dccl.qlo
dchn.sco
dcis.ewo
dckp.kio
dckp.smo
dckp.suo
dfcj.yqo
dguu.mdo
dmnv.pro
dqgd.gso
dvas.tqo
dwak.nwo
dwtt.mro
eadp.qko
ecrm.goo
edlp.suo
edrm.yho
efyp.ogo
ehrm.gno
eqja.foo
eqqo.yso
etat.afo
evuq.kjo
eywr.sxo
fcis.yho
fdmw.pvo
fdty.sio
ffnh.dbo
ffxl.hmo
fgjk.hwo
fimp.elo
flhn.jpo
foso.lvo
fsxa.vno
ftoe.rho
fvhg.rmo
fxer.slo
gafj.lmo
gcyc.luo
gelp.kio
geuk.mno
gjpm.hro
glrl.rvo
gpsq.ajo
gsvj.ulo
gvpq.nlo
hdpy.eio
hdqw.pko
hedl.qlo
hedl.qto
hefs.nto
helh.oso
hjao.sco
hlhl.bfo
hlku.lro
hnbc.dro
hpiq.gio
hpyu.mso
hspe.uvo
hurn.fro
hwks.oyo
hypc.xyo
ifmq.kqo
ihbo.kjo
ihrv.kko
|
ijao.wto
inqk.hgo
ipqd.cto
ipyt.vao
iqum.tco
isdt.hwo
italc.ifo
iywn.sjo
jfmi.goo
jgan.plo
jmnj.vvo
jnio.jho
jriw.eao
jrxm.aeo
jxca.hto
jyku.fjo
kemk.tuo
kfla.ako
kgmq.kio
kgtu.opo
khqq.qyo
kjgk.sko
kjvd.kxo
kntv.emo
knvh.nio
kqvu.hvo
lfrt.njo
lgou.rlo
lhek.ydo
lkdk.bho
lkmj.bdo
lksd.gxo
llls.euo
lmep.bqo
lnud.yjo
loio.jho
loio.rto
loqk.pso
lwbe.cxo
lydt.rro
miin.kso
mjbf.xlo
mkrk.ooo
mldq.ovo
mouj.yjo
mpcj.olo
mphn.vmo
mpjo.jpo
mpor.yuo
mrge.ilo
mrsf.fbo
msol.voo
mtct.kio
mwyb.wdo
nbqu.ido
ngrv.eqo
ngts.vao
nhfm.qto
nhni.goo
njpb.ojo
nkbu.vao
nldk.yxo
nlou.cco
nmko.mso
nnfj.tqo
nnrs.gqo
nqyj.rco
nsuq.rdo
ntxr.bfo
nxxd.pio
nynw.wmo
oaaq.kfo
oanb.fxo
oapu.ygo
obij.vco
ocka.umo
ocnx.gco
ocqu.wro
oegq.loo
ohov.fxo
oife.mro
ojgo.pxo
ommo.pyo
onyc.ffo
oqmt.heo
oqrk.pso
ornw.oro
oubw.hvo
ovjp.fbo
oxje.kso
pdjg.kjo
peck.dho
pfpp.dao
pful.tko
pgsb.lto
pgul.cqo
plbt.nbo
pnko.jso
ppto.koo
pqjg.fno
pqrk.hgo
pqrs.tmo
prqy.fko
pufr.kho
pumb.jho
qegy.gvo
qgjo.ijo
|
qiai.jfo
qimu.ano
qiok.xwo
qtjr.pno
qtru.lfo
qvbw.iio
rbxw.vao
rcvd.fwo
rihd.pno
rjuq.mpo
rkhq.svo
rkie.mpo
rkso.iso
rlge.boo
rqfp.kmo
rsma.tdo
rvbw.nxo
rwkv.buo
rxms.pio
rxup.rko
sfsp.cfo
siek.guo
sijw.fko
sipo.bpo
siqf.cso
siut.ayo
smvh.odo
sojs.smo
spho.qyo
spwr.bjo
srnh.lto
ssmv.afo
sttp.oko
svtt.vdo
svvi.ffo
svvs.dvo
syce.xto
tabj.xeo
tapi.nfo
tapp.tfo
tdru.fko
tftp.msc
tftp.nfo
tgfm.klo
thxr.wgo
tkjh.huo
tofx.clo
trmy.tjo
tvqx.joo
tydj.odo
ubiw.ljo
uefu.pho
ufem.yto
ujvh.dro
urwh.djo
usmf.vso
utam.sxo
uvro.uyo
uxfo.hvo
uxid.juo
vbvr.qjo
vefh.bko
vgdh.dpo
vjub.bgo
vqto.eko
vrpy.dgo
vukh.gxo
vuxh.nko
vxew.dao
vxms.suo
wdni.buo
wjqd.rqo
wlmv.kuo
wmko.jyo
wnhf.cvo
wnuc.opo
wonv.umo
wpvq.gto
wrdr.kuo
wssf.hgo
wtxg.vwo
wvtc.cto
xbwg.oko
xdej.pao
xdqp.tbo
xlyf.ppo
xncs.doo
xxsu.ivo
xxtr.lro
yhre.jpo
yhru.tyo
yivj.pbo
yjhj.ixo
ykda.sxo
ylse.wyo
ylvr.dwo
ymmh.byo
ynbf.bno
yntw.mio
yoah.nlo
yoyg.guo
yprf.wpo
ypxb.lvo
yron.uno
yvoc.hao
ywkp.lvo
|
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The registry is modified to run this copy at each Windows logon as in the following example:
Modifies value: "Shell"
From data: "<original data>"
To data: "explorer.exe rundll32.exe <Trojan:Win32/Oficla file> <DLL export name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: <Trojan:Win32/Oficla file> refers to the variable file name being used by the variant in question, while <DLL export name> refers to an export within the trojan DLL being utilized.
For example:
Modifies value: "Shell"
With data: "explorer.exe rundll32.exe tapi.nfo beforeglav"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The trojan also injects code into the running process "svchost.exe".
Payload
Downloads and executes arbitrary files
Trojan:Win32/Oficla attempts to download and execute arbitrary files from specified remote hosts.
In the wild, Oficla variants have been observed to contact the following remote hosts as a part of this process:
124.217.239.26
193.104.22.61
77.221.153.183
84.19.161.62
87.118.81.62
91.188.59.21
ablegang.com
adjamadja.cn
adm1n.ru
adv.businessmaster.in
aervrfhu.ru
andige.net
antiviruspc-update.com
apsight.ru
autotradersuk.net
avppi.com
baksomania2010.ru
bankmob1l.cc
bizevery.com
brainzzz.net
buyexplaine.com
centralsheep.com
client158.faster-hosting.com
da-google.com
dabubbagump.com
dallynews.cn
davidbredov.ru
davidopolko.ru
designfolkov.ru
det0xcorp.kz
dionada.com
dnsresourcecenter.com
dosuguss.net
ecountertracker.cc
elkadoman2.net
enzoforfree.ru
everybots.com
ezsdo.com
factoryofgood.ru
fernandohuentos.com
findactions.net
flashvideomovie.com
fooofle.ru
freesoftware-multimedia.com
frogber.com
funnylive2010.ru
garavangzik.com
googga.com
hoopforbes.com
hulejsoops.ru
ieksmanskasdk.com
inroyal.info
ipv6i.tw
itnatcompip.com
justmyl.com
klirricon.com
|
ks45tn2.cn
ldsma.com
lightobmen.ru
luboydomen.cn
magentox.net
malahovplus.com
marketingsites.info
mirikas.cn
modsm.com
mutant-star.net
myldxs.com
mylodka.net
myxmad.com
nebuhai.com
netmegasite.net
newdaypeace.org
nonstopacc.com
omega5.cn
papaanarhia.cn
postfolkovs.ru
poteriapoter.com
puthere.info
republicdemocracy.cn
salamangzan.com
santorinc.com
servhb.com
sktdo.com
sogom.net
solomacosx.org
sprutsss.in
spuperrrtransfer.com
sscanner.ru
system-dns.net
system-on.com
system-resolve.com
tomorrrrow.cn
topdns24.com
topdns241.com
topdns341.com
umor.uz.ua
underskyz.cn
uploadfilm1.org
vampirizmu.net
vanus.biz
vertelitt.com
vitamelatonin.biz
web-pings.net
winxpupdate.org
wow.telesweet.net
www.freecapch.info
www.yoookolai.ru
xtubez.org
yaftop.com
yarostt.net
ydopr.com
zflaersroot.cn
|
Files downloaded and executed by Oficla include additional malware and updates for itself. In the wild, Oficla has been observed downloading and executing members of the following prevalent malware families:
-
Win32/Hiloti - a family of trojans that downloads and executes arbitrary files, and moderates an affected user's online experience.
-
Win32/FakeScanti -a family of trojans that claims to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
-
Win32/Cutwail - a family of trojans which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
-
Win32/Zbot - a family of trojans that steals passwords and allows unauthorized access and control of an affected computer.
-
Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.
-
Win32/FakeRean -a family of trojans that claims to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.
-
Win32/Sefnit - a family of trojans that moderates an affected user's online experience.
-
Win32/Bamital - a family of trojans that modifies web search queries and display advertisements
Analysis by Scott Molenkamp
Prevention
Take the following steps to help prevent infection on your computer:
-
Enable a firewall on your computer.
-
Get the latest computer updates for all your installed software.
-
Use up-to-date antivirus software.
-
Limit user privileges on the computer.
-
Use caution when opening attachments and accepting file transfers.
-
Use caution when clicking on links to webpages.
-
Avoid downloading pirated software.
-
Protect yourself against social engineering attacks.
-
Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see http://www.microsoft.com/windows/antivirus-partners/.
Limit user privileges on the computer
Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
Use caution when opening attachments and accepting file transfers
Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpages
Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see 'What is social engineering?'.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.
There are no obvious symptoms that indicate the presence of this malware on an affected computer.