Win32/Oficla is a familiy of trojans that attempts to inject code into running processes in order to download and execute arbitrary files. In the wild, we have observed variants of this family downloading and installing several different malware families, including
Win32/FakeScanti and
Win32/Cutwail.
Win32/Oficla consists of several components, including an executable trojan dropper component that installs a DLL trojan component that then performs the downloading payload.
Installation
Win32/Oficla is often distributed attached to spammed e-mail messages. For example, we have observed several variants being spammed in attachments that use one of the following file names:
- UPS_document_Nr28451.zip
- DHL_document_Nr39153.zip
- Western_Union_documento_Nr7821.zip
The archive (zip) file contains an executable with the same name but with an ".EXE" file extension (e.g. UPS_document_Nr28457.zip would contain UPS_document_Nr28457.exe). The file may use the Microsoft Word or Microsoft Excel document icon.
When run, the trojan drops a DLL file with a randomly generated file name and a ".TMP" file extension into the Windows temporary files folder (for example "%TEMP%\e.tmp"). This file may be detected as Trojan:Win32/Oficla. It is then copied using a variable file name into the Windows system folder (for example <system folder>\tapi.nfo). We have observed the following file names being used by the Win32/Oficla family in this manner:
abcd.efo abcd.mjo abfw.xgo adcc.puo afhj.hko ahwa.ulo ajhg.kqo ajoa.nwo ajoj.pso akhr.vfo amau.mso amht.xfo amuw.bho aqlb.hjo asqd.qxo avuw.xbo awxm.vho bfro.fto bfwc.bwo bfwl.pgo bgwj.sdo bjoj.pko bjor.lio bnis.mxo bnjp.uco brjw.gvo bvsn.dyo bwsb.gio byly.jgo byri.leo cagj.mmo calc.ifo cbhr.uco cdav.ixo ckrt.dho codf.ouo cpcp.cpo cvqh.hro cwjv.wmo dayu.oro dcbs.hxo dccd.mro dccl.qlo dchn.sco dcis.ewo dckp.kio dckp.smo dckp.suo dfcj.yqo dguu.mdo dmnv.pro dqgd.gso dvas.tqo dwak.nwo dwtt.mro eadp.qko ecrm.goo edlp.suo edrm.yho efyp.ogo ehrm.gno eqja.foo eqqo.yso etat.afo evuq.kjo eywr.sxo fcis.yho fdmw.pvo fdty.sio ffnh.dbo ffxl.hmo fgjk.hwo fimp.elo flhn.jpo foso.lvo fsxa.vno ftoe.rho fvhg.rmo fxer.slo gafj.lmo gcyc.luo gelp.kio geuk.mno gjpm.hro glrl.rvo gpsq.ajo gsvj.ulo gvpq.nlo hdpy.eio hdqw.pko hedl.qlo hedl.qto hefs.nto helh.oso hjao.sco hlhl.bfo hlku.lro hnbc.dro hpiq.gio hpyu.mso hspe.uvo hurn.fro hwks.oyo hypc.xyo ifmq.kqo ihbo.kjo ihrv.kko | ijao.wto inqk.hgo ipqd.cto ipyt.vao iqum.tco isdt.hwo italc.ifo iywn.sjo jfmi.goo jgan.plo jmnj.vvo jnio.jho jriw.eao jrxm.aeo jxca.hto jyku.fjo kemk.tuo kfla.ako kgmq.kio kgtu.opo khqq.qyo kjgk.sko kjvd.kxo kntv.emo knvh.nio kqvu.hvo lfrt.njo lgou.rlo lhek.ydo lkdk.bho lkmj.bdo lksd.gxo llls.euo lmep.bqo lnud.yjo loio.jho loio.rto loqk.pso lwbe.cxo lydt.rro miin.kso mjbf.xlo mkrk.ooo mldq.ovo mouj.yjo mpcj.olo mphn.vmo mpjo.jpo mpor.yuo mrge.ilo mrsf.fbo msol.voo mtct.kio mwyb.wdo nbqu.ido ngrv.eqo ngts.vao nhfm.qto nhni.goo njpb.ojo nkbu.vao nldk.yxo nlou.cco nmko.mso nnfj.tqo nnrs.gqo nqyj.rco nsuq.rdo ntxr.bfo nxxd.pio nynw.wmo oaaq.kfo oanb.fxo oapu.ygo obij.vco ocka.umo ocnx.gco ocqu.wro oegq.loo ohov.fxo oife.mro ojgo.pxo ommo.pyo onyc.ffo oqmt.heo oqrk.pso ornw.oro oubw.hvo ovjp.fbo oxje.kso pdjg.kjo peck.dho pfpp.dao pful.tko pgsb.lto pgul.cqo plbt.nbo pnko.jso ppto.koo pqjg.fno pqrk.hgo pqrs.tmo prqy.fko pufr.kho pumb.jho qegy.gvo qgjo.ijo | qiai.jfo qimu.ano qiok.xwo qtjr.pno qtru.lfo qvbw.iio rbxw.vao rcvd.fwo rihd.pno rjuq.mpo rkhq.svo rkie.mpo rkso.iso rlge.boo rqfp.kmo rsma.tdo rvbw.nxo rwkv.buo rxms.pio rxup.rko sfsp.cfo siek.guo sijw.fko sipo.bpo siqf.cso siut.ayo smvh.odo sojs.smo spho.qyo spwr.bjo srnh.lto ssmv.afo sttp.oko svtt.vdo svvi.ffo svvs.dvo syce.xto tabj.xeo tapi.nfo tapp.tfo tdru.fko tftp.msc tftp.nfo tgfm.klo thxr.wgo tkjh.huo tofx.clo trmy.tjo tvqx.joo tydj.odo ubiw.ljo uefu.pho ufem.yto ujvh.dro urwh.djo usmf.vso utam.sxo uvro.uyo uxfo.hvo uxid.juo vbvr.qjo vefh.bko vgdh.dpo vjub.bgo vqto.eko vrpy.dgo vukh.gxo vuxh.nko vxew.dao vxms.suo wdni.buo wjqd.rqo wlmv.kuo wmko.jyo wnhf.cvo wnuc.opo wonv.umo wpvq.gto wrdr.kuo wssf.hgo wtxg.vwo wvtc.cto xbwg.oko xdej.pao xdqp.tbo xlyf.ppo xncs.doo xxsu.ivo xxtr.lro yhre.jpo yhru.tyo yivj.pbo yjhj.ixo ykda.sxo ylse.wyo ylvr.dwo ymmh.byo ynbf.bno yntw.mio yoah.nlo yoyg.guo yprf.wpo ypxb.lvo yron.uno yvoc.hao ywkp.lvo |
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The registry is modified to run this copy at each Windows logon as in the following example:
Modifies value: "Shell"
From data: "<original data>"
To data: "explorer.exe rundll32.exe <Trojan:Win32/Oficla file> <DLL export name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: <Trojan:Win32/Oficla file> refers to the variable file name being used by the variant in question, while <DLL export name> refers to an export within the trojan DLL being utilized.
For example:
Modifies value: "Shell"
With data: "explorer.exe rundll32.exe tapi.nfo beforeglav"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The trojan also injects code into the running process "svchost.exe".
Payload
Downloads and executes arbitrary files
Trojan:Win32/Oficla attempts to download and execute arbitrary files from specified remote hosts.
In the wild, Oficla variants have been observed to contact the following remote hosts as a part of this process:
124.217.239.26 193.104.22.61 77.221.153.183 84.19.161.62 87.118.81.62 91.188.59.21 ablegang.com adjamadja.cn adm1n.ru adv.businessmaster.in aervrfhu.ru andige.net antiviruspc-update.com apsight.ru autotradersuk.net avppi.com baksomania2010.ru bankmob1l.cc bizevery.com brainzzz.net buyexplaine.com centralsheep.com client158.faster-hosting.com da-google.com dabubbagump.com dallynews.cn davidbredov.ru davidopolko.ru designfolkov.ru det0xcorp.kz dionada.com dnsresourcecenter.com dosuguss.net ecountertracker.cc elkadoman2.net enzoforfree.ru everybots.com ezsdo.com factoryofgood.ru fernandohuentos.com findactions.net flashvideomovie.com fooofle.ru freesoftware-multimedia.com frogber.com funnylive2010.ru garavangzik.com googga.com hoopforbes.com hulejsoops.ru ieksmanskasdk.com inroyal.info ipv6i.tw itnatcompip.com justmyl.com klirricon.com | ks45tn2.cn ldsma.com lightobmen.ru luboydomen.cn magentox.net malahovplus.com marketingsites.info mirikas.cn modsm.com mutant-star.net myldxs.com mylodka.net myxmad.com nebuhai.com netmegasite.net newdaypeace.org nonstopacc.com omega5.cn papaanarhia.cn postfolkovs.ru poteriapoter.com puthere.info republicdemocracy.cn salamangzan.com santorinc.com servhb.com sktdo.com sogom.net solomacosx.org sprutsss.in spuperrrtransfer.com sscanner.ru system-dns.net system-on.com system-resolve.com tomorrrrow.cn topdns24.com topdns241.com topdns341.com umor.uz.ua underskyz.cn uploadfilm1.org vampirizmu.net vanus.biz vertelitt.com vitamelatonin.biz web-pings.net winxpupdate.org wow.telesweet.net www.freecapch.info www.yoookolai.ru xtubez.org yaftop.com yarostt.net ydopr.com zflaersroot.cn |
Files downloaded and executed by Oficla include additional malware and updates for itself. In the wild, Oficla has been observed downloading and executing members of the following prevalent malware families:
Win32/Hiloti - a family of trojans that downloads and executes arbitrary files, and moderates an affected user's online experience.
Win32/FakeScanti -a family of trojans that claims to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Win32/Cutwail - a family of trojans which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal. Win32/Zbot - a family of trojans that steals passwords and allows unauthorized access and control of an affected computer. Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Win32/FakeRean -a family of trojans that claims to scan for malware and display fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Win32/Sefnit - a family of trojans that moderates an affected user's online experience.
Win32/Bamital - a family of trojans that modifies web search queries and display advertisements
Analysis by Scott Molenkamp
Take the following steps to help prevent infection on your computer:
Enable a firewall on your computer.
Get the latest computer updates for all your installed software.
Use up-to-date antivirus software.
Limit user privileges on the computer.
Use caution when opening attachments and accepting file transfers.
Use caution when clicking on links to webpages.
Avoid downloading pirated software.
Protect yourself against social engineering attacks.
Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
Use up-to-date antivirus software
Limit user privileges on the computer
Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
Use caution when opening attachments and accepting file transfers
Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpages
Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see '
The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see '
What is social engineering?'.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see
http://www.microsoft.com/protect/yourself/password/create.mspx.