Installation
Trojan:Win32/Oficla.AC arrives as an email attachment. Below are some samples of emails found to be carrying this malware.
                    Â
Â
Â
The attachment is a ZIP archive containing a Trojan:Win32/Oficla.AC binary with the same name as the ZIP archive but with an ".EXE" file extension. The malware also mimics the Microsoft Excel icon such that when a user views the file in Windows Explorer, they might think they are opening an Office document. Below are snapshots of some malware samples viewed in Windows Explorer:
Â
Â
Â
Upon execution, this malware drops a copy of itself in the Windows System folder using a hardcoded name that follows the format:
Â
<system folder>\<4 alphabetical characters>.<3 alphabetical characters>
Â
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7Â is C:\Windows\System32.
Â
Listed below are some of the names found to be used by Trojan:Win32/Oficla.AC:
Â
aflx.ato
cdbu.euo
goap.cmo
hjdt.qto
htqy.nao
hyen.rho
ipch.ygo
jiuh.mjo
jssl.joo
jthv.oao
jxvy.dio
kine.bwo
lncl.wbo
lymj.qgo
nxqm.uyo
pcqr.rvo
rraq.kdo
slia.ofo
thxi.ixo
ubwi.wlo
uiye.cso
vkot.ujo
xfsf.jqo
xupw.pdo
Â
The trojan creates a mutex and gives it a name that is also hardcoded in the malware body. The mutex name is comprised of 17-18 alphanumerical characters. Below are some examples of mutex names used by Trojan:Win32/Oficla.AC:
Â
111936669542b82e27
12692285214ba6e3e9
13421855665000205e
14014840905388f33a
162601401860eb0142
18311354196d24e8bb
18436875656de4708d
21312817717f08c76b
23366501028b467376
26554195149e467c7a
2827828871a88d3e87
3218159617bfd13801
3518230204d1b3eebc
3522918577d1fb78b1
3546662287d365c58f
3688289087dbd6d33f
3812628095e340167f
3948371611eb575e9b
3998653920ee569de0
4006816705eed32bc1
4163727901f82d721d
58760387623061fa4
7667407742db38926
88186920334904193
Â
Trojan:Win32/Oficla.AC is capable of starting itself every time the computer reboots. It accomplishes this by replacing the data of the following registry value:
Â
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Shell"
From data: "<original data>"
To data: "Explorer.exe rundll32.exe <malware filename> <malware function name>"
Â
For example:
Â
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Shell"
From data: "<original data>"
To data: "Explorer.exe rundll32.exe jthv.oao whbkjlj"
Â
In addition, Trojan:Win32/Oficla.AC also drops a copy of itself into the user's Temporary directory
Â
%TEMP%\<random alphanumeric characters>.tmp
Â
It tries to launch a legitimate instance of the service host process (svchost.exe) and injects the *.TMP copy of itself into it.
Payload
Downloads and executes arbitrary files
Trojan:Win32/Oficla.AC attempts to download and execute arbitrary files from specified remote hosts.
Â
In the wild, we have observed the trojan to contact the following remote hosts as part of this process:
Â
biznes-lab.info
exfacebooks.com
fary5monn.info
gruzakk.com
logstime.com
matchpassion.net
mediamoon.ru
nuzno.us
olgashelest.ru
showtimeru.ru
thegoodbox.com
unknown-garbage.com
webauc.ru
wvw.aol-serv.net
Â
Â
Analysis by Gilou Tenebro
