- Trojan.Win32.Agent.duxv (detected by Kaspersky Lab)
- Trojan: SpyAgent-br.dll (McAfee)
- Mal / Oficla-A (Sophos)
- Trj / Sinowal.WZZ (Panda)
- Trojan: Win32 / Oficla.M (MS (OneCare))
- Trojan.Oficla.38 (DrWeb)
- Win32 / Oficla.GN trojan (Nod32)
- Trojan.Oficla.S (BitDef7)
- Win32: Rootkit-gen [Rtk] (AVAST)
- Trojan.Win32.Oficla (Ikarus)
- Generic17.CFKT (AVG)
- TR / Spy.Inject.L (AVIRA)
- Trojan.Sasfis (NAV)
- W32 / Oficla.FJ (Norman)
- Trojan.Win32.Generic.5205573B (Rising)
- Trojan.Win32.Oficla.w [AVP] (FSecure)
- TROJ_DLOADR.SMVE (TrendMicro)
- Trojan.Win32.Sasfis.a (v) (Sunbelt)
Trojan.Win32.Oficla.w's first sign was discovered on April 26, 2010 at 21:24 GMT, they started operating one day later - April 27, 2010 at 3:50 GMT, and Analysis information is published on 07/07/2010 - 11:08 GMT.
Detailed technical analysis
Similar to other Trojan programs, they have the mechanism to automatically download and activate other malware when successfully compromised on the victim's computer. And when enabled, these Trojan programs will extract and create files of the Windows system (* .dll) in the system directory of the form:% system% thxr.wgo. At the same time, to be activated with Windows on startup, they will create key keys in the Registry as follows:
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Shell" = "Explorer.exe rundll32.exe thxr.wgo nwfdtx"
Payload process
When the installation is successful, the program will contact the main server:
http:///hu*********.ru /images/bb.php
Here they will receive the indicator signals with command syntax and parameters in the following form: "runurl":
- Download different files on temporary directory% temp% from the links specified above and activate them: "taskid"
- Specify the number of fixed tasks: "delay"
- Specify the servers that were contacted: "backurls"
- A list of addresses of supported servers that these malicious programs will connect to later. And all these addresses are stored in the key:
[HKLSOFTWAREClassesidid]
"reporturls"
- After this command performs the connection to the server, they will continue to receive control commands from other servers.
- Therefore, they can continuously download and install different types of malware on the victim's computer. At the time of this article, all the commands they receive are directed to the following unique file:
http:///russ**nmomds.ru/dogma.exe
- On the other hand, hackers can use these programs to change and reconfigure the malicious programs that will be used next on other servers.