Follow:

 

Trojan:Win32/Oficla.M


Trojan:Win32/Oficla.M is a trojan that attempts to inject code into a running process to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. It may arrive as a spammed e-mail attachment to a message pretending to be a Facebook password reset.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/Oficla.M is a trojan that attempts to inject code into a running process to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti.
Installation
Trojan:Win32/Oficla.M is a detection for both the dropper executable and the dropped DLL. In the wild, this trojan has been observed to be distributed in spammed e-mail messages as an attachment. The attachment is an archive file with either one of these names:
 
  • "Facebook details <random 3 or 4 digit number>.zip"
  • "Facebook password <random 3 or 4 digit number>.zip"
  • "Facebook document <random 3 or 4 digit number>.zip"
 
The attachment c ontains an executable with the same name as the archive. The spammed e-mail message resembles one of the following:
 
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: Facebook Password Reset Confirmation! Important Message
Attachment: Facebook password 357.zip (Facebook password 357.exe)
 
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
 
Thanks,
Your Facebook.
 
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: Facebook Password Reset Confirmation NR.7131
Attachment: Facebook document 674.zip (Facebook document 674.exe)
 
Hey <recipient> ,
 
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
 
Thanks,
The Facebook Team
 
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: Facebook Password Reset Confirmation NR.83008
Attachment: Facebook details 3472.zip (Facebook details 3472.exe)
 
Hey <recipient> ,
 
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
 
Thanks,
The Facebook Team.
 
When run, the trojan drops a copy of itself into the Windows Temporary Files folder as a file name with a random number and a ".TMP" file extension such as "%TEMP%\1.tmp". The dropped copy is then executed, which queues a User Asynchronous Procedure Call (APC) to "svchost.exe" so that while "svchost.exe" is running, the malicious APC is called.
 
The trojan is then copied with a filename that differs according to minor variant into the Windows system folder. We have observed the following filenames being used in this way in the wild:
 
  • ffxl.hmo
  • mjbf.xlo
  • obij.vco
  • ohov.fxo
  • wrdr.kuo
  • ylvr.dwo
  • nnfj.tqo
 
The registry is modified to run this copy at each Windows start as in the following example:
 
Modifies value: "Shell"
With data: "explorer.exe rundll32.exe ffxl.hmo vhoyog"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Note: In the above, the data "ffxl.hmo vhoyog" may change among minor variants of this trojan.
Payload
Downloads other malware
Trojan:Win32/Oficla.M attempts to download other malware such as TrojanDownloader:Win32/FakeScanti from certain domains, including:
 
  • yoookolai.ru
  • autotradersuk.net
  • da-google.com
  • client158.faster-hosting.com
  • garavangzik.com
  • autotradersuk.net
 
Analysis by Marian Radu

Symptoms

Spammed e-mail
The following system changes may indicate the presence of this malware:
  • You receive an e-mail supposedly from Facebook about a password reset; the attachment is a zip file

Prevention


Alert level: Severe
First detected by definition: 1.77.96.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 26, 2010
This entry was first published on: Mar 19, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Bredolab.DV (Command)
  • Trojan.Inject.XK (BitDefender)
  • Win32/Koobface.LX (CA)
  • Trojan.Win32.Bredolab (Ikarus)
  • Bredolab.gen.c (McAfee)
  • Trj/Sinowal.WXX (Panda)
  • Mal/FakeAV-BW (Sophos)
  • Trojan.Bredolab (Symantec)
  • TROJ_FAKEAV.NAD (Trend Micro)