Win32/Oficla [Threat Name] go to Threat

Win32/Oficla.EF [Threat Variant Name]

Category trojan
Size 19968 B
Detection created Mar 03, 2010
Detection database version 4912
Aliases Trojan.Sasfis (Symantec)
  TrojanDropper:Win32/Oficla.G (Microsoft)
Short description

Win32/Oficla.EF is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %system%\­nynw.wmo (20992 B)
  • %temp%\­%variable1%.tmp (20992 B)

A string with variable content is used instead of %variable1% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "* rundll32.exe nynw.wmo mynleeq"

The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­idid]
    • "op" = %variable2%
    • "url%variable3%" = %variable4%

A string with variable content is used instead of *, %variable2-4% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan may create the following files:

  • %temp%\­%variable5%.tmp

A string with variable content is used instead of %variable5% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Office\­%variable6%\­Word\­Security]
    • "VBAWarnings" = 1
    • "Level" = 1
    • "AccessVBOM" = 1

A string with variable content is used instead of %variable6% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.