Win32/Oficla [Threat Name] go to Threat

Win32/Oficla.HE [Threat Variant Name]

Category trojan
Size 20480 B
Detection created May 21, 2010
Detection database version 5134
Aliases Trojan.Win32.Oficla.cxo (Kaspersky)
  SpyAgent-br.dll.trojan (McAfee)
  Trojan:Win32/Oficla.AC (Microsoft)
  Trojan.Sasfis (Symantec)
  Win32:Oficla-AI (Avast)
  Trojan.Oficla.AE (BitDefender)
Short description

Win32/Oficla.HE is a trojan which tries to download other malware from the Internet. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­yise.ero

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%originalvalue% rundll32.exe yise.ero mpgyjp"

The trojan launches the following processes:

  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan keeps various information in the following Registry key:

  • [HKEY_CLASSES_ROOT\­idid]

Please enable Javascript to ensure correct displaying of this content and refresh this page.