Trojan:Win32/Oficla.E is a trojan that attempts to inject code into a running process to download a rogue security program identified as
TrojanDownloader:Win32/FakeScanti.
Installation
Trojan:Win32/Oficla.E may be installed by other malware such as
TrojanDropper:Win32/Oficla.A. In the wild, this trojan was observed being distributed in spammed e-mail messages as an attachment. The attachment is an archive file named "
agreement.zip" containing an executable named "
agreement.exe". The spammed e-mail message resembles the following:
From: < spoofed sender @facebookmail.com>
To: <recipient>
Subject: new Facebook account agreement
Attachment: agreement.zip (agreement.exe)
Dear Facebook user,
Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.
Please unzip the attached file and run "agreement.exe" by double-clicking it.
Thanks,
The Facebook Team
Confirmation Code #: 4292113475116
When run, the trojan drops a copy of itself into the %TEMP% folder as a file name of a random number and ".TMP" file extension such as "%TEMP%\1.tmp". The dropped copy is then executed which queues a User Asynchronous Procedure Call (APC) to "svchost.exe" so that while "svchost.exe" is running, the malicious APC will be called. The trojan is then copied as a randomly named file into the Windows system folder such as the following:
<system folder>\dckp.kio
The registry is modified to run this copy at each Windows start as in the following example:
Modifies value: "Shell"
With data: "explorer.exe rundll32.exe dckp.kio pushprl"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: In the above, the data "dckp.kio pushprl" may change among installations.
The trojan modifies the registry with the following value and data:
Adds value: "url0"
With data: "< hexadecimal data >"
In subkey: HKLM\SOFTWARE\Classes\idid
Payload
Downloads other malware
mnogoijirno.com
dallynews.cn
Orgazmer.com
adjamadja.cn
Analysis by Tim Liu
