Description of template Trojan.Win32.Oficla.w

It can be said that this is a quite special type of malicious program - with different mechanisms and ways of operation compared to the previous known models.

It can be said that this is a quite special type of malicious program - with a mechanism and way of operation that is different from the models that were previously known . They can perform many destructive actions such as deleting, preventing access, editing or copying users' data, blocking network access speed and other functions in the same system. Therefore, we can consider this a very versatile Trojan variant - understandably, they are compiled from many other Trojans.

The type Trojan.Win32.Oficla.w - categorized and named by Kaspersky, is also known by the following names:

- Trojan.Win32.Agent.duxv (detected by Kaspersky Lab)
- Trojan: SpyAgent-br.dll (McAfee)
- Mal / Oficla-A (Sophos)
- Trj / Sinowal.WZZ (Panda)
- Trojan: Win32 / Oficla.M (MS (OneCare))
- Trojan.Oficla.38 (DrWeb)
- Win32 / Oficla.GN trojan (Nod32)
- Trojan.Oficla.S (BitDef7)
- Win32: Rootkit-gen [Rtk] (AVAST)
- Trojan.Win32.Oficla (Ikarus)
- Generic17.CFKT (AVG)
- TR / Spy.Inject.L (AVIRA)
- Trojan.Sasfis (NAV)
- W32 / Oficla.FJ (Norman)
- Trojan.Win32.Generic.5205573B (Rising)
- Trojan.Win32.Oficla.w [AVP] (FSecure)
- TROJ_DLOADR.SMVE (TrendMicro)
- Trojan.Win32.Sasfis.a (v) (Sunbelt)

Trojan.Win32.Oficla.w's first sign was discovered on April 26, 2010 at 21:24 GMT, they started operating one day later - April 27, 2010 at 3:50 GMT, and Analysis information is published on 07/07/2010 - 11:08 GMT.

Detailed technical analysis

Similar to other Trojan programs, they have the mechanism to automatically download and activate other malware when successfully compromised on the victim's computer. And when enabled, these Trojan programs will extract and create files of the Windows system (* .dll) in the system directory of the form:% system% thxr.wgo. At the same time, to be activated with Windows on startup, they will create key keys in the Registry as follows:

[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Shell" = "Explorer.exe rundll32.exe thxr.wgo nwfdtx"

Payload process

When the installation is successful, the program will contact the main server:

http:///hu*********.ru /images/bb.php

Here they will receive the indicator signals with command syntax and parameters in the following form: "runurl":

- Download different files on temporary directory% temp% from the links specified above and activate them: "taskid"

- Specify the number of fixed tasks: "delay"

- Specify the servers that were contacted: "backurls"

- A list of addresses of supported servers that these malicious programs will connect to later. And all these addresses are stored in the key:

[HKLSOFTWAREClassesidid]
"reporturls"

- After this command performs the connection to the server, they will continue to receive control commands from other servers.

- Therefore, they can continuously download and install different types of malware on the victim's computer. At the time of this article, all the commands they receive are directed to the following unique file: