Troj/Oficla-AB is a Trojan.
Troj/Oficla-AB is a Trojan distributed by email. It has been seen in email attachments with names such as:
My_Documents.zip
DHL_Print_Label_ID5114.zip
Troj/Oficla-AB exhibits the following behavior:
When executed, it drops a copy of malware detected as Mal/Oficla-A into %TEMP% folder and injects it into the svchost.exe process. It also creates a randomly named DLL in the %SYSTEM% folder (also detected as Mal/Oficla-A).
In order to run the copy from the %SYSTEM% folder Troj/Oficla-AB creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Explorer.exe rundll32.exe <randomname> <random export>
Once it is installed and active Troj/Oficla-AB will attempt to access a Russian website hosted at
ilovelasvegas.ru
File Information
- Size
- 36K
- SHA-1
- a2e1c5566b64f37737eddea49cd6beea5db3e3cd
- MD5
- 9ffc6994a66be0d8667550a0e9ed80ea
- CRC-32
- ba075dc2
- File type
- application/x-ms-dos-executable
- First seen
- 2010-09-02
Other vendor detection
- Avira
- TR/Dldr.FakeAV.AS
- Kaspersky
- Trojan-Dropper.Win32.Agent.cxma
Runtime Analysis
Processes Created
- c:\windows\system32\drwtsn32.exe
- c:\windows\system32\dwwin.exe