Full description

Virus:	TR/Oficla.AA
Date discovered:	07/07/2010
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low
Static file:	Yes
File size:	34.816 Bytes
MD5 checksum:	ee97199dec81e92d2a1013c827afd5bc
IVDF version:	7.10.09.29 - Wednesday, July 7, 2010

General Method of propagation:
   • Email

Platforms / OS:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following location:
• %TEMPDIR%\svchost.exe

The following files are created:

– %TEMPDIR%\tmpf5c96f2a.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
– %HOME%\Application Data\Voutt\ifzap.exe
– %HOME%\Application Data\Fipizy\poyr.imx
– %temporary internet files%\Content.IE5\89ATUD5F\boom[1].jpg
– %temporary internet files%\Content.IE5\89ATUD5F\google[1].htm
– %temporary internet files%\Content.IE5\89ATUD5F\webhp[1].htm
– %temporary internet files%\Content.IE5\89ATUD5F\webstat[1].htm
– %HOME%\Application Data\Beepoh\erar.exe

It tries to download a file:

– The location is the following:
• http://www.um**********oom5.gif
It is saved on the local hard drive under: %TEMPDIR%\system.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe C:\\DOCUME~1\\MAKROR~1\\LOCALS~1\\Temp\\svchost.exe"

The following registry key is continuously in an infinite loop added in order to run the process after reboot.

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "{B579423A-2522-DBB3-1CB3-9B491420520F}"="\"C:\\Documents and Settings\\makrorechner\\Application Data\\Beepoh\\erar.exe\""

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "C:\\DOCUME~1\\MAKROR~1\\LOCALS~1\\Temp\\svchost.exe"="C:\\DOCUME~1\\MAKROR~1\\LOCALS~1\\Temp\\svchost.exe:*:Enabled:svchost.exe"
   •

The following registry key is added:

– [HKCU\Software\Microsoft\Ikcie]
   • %hex values%

Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:

From:
The sender address is spoofed.

Subject:
The following:
   • DHL Tracking Number %character string%

Body:
The body of the email is the following:

   • Hello!

     The courier company was not able to deliver your parcel by your address.

     You may pickup the parcel at our post office personaly.

     The shipping label is attached to this e-mail.
     Please print this label to get this package at our post office.

     Thank you for attention.
     DHL Delivery Services.

Attachment:
The filename of the attachment is:
   • DHL_INVOICE23.zip

The attachment is an archive containing a copy of the malware itself.

The email looks like the following:

Injection – It injects itself into a process.

Process name:
• explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Patrick Schoenherr on Wednesday, July 7, 2010
Description updated by Patrick Schoenherr on Wednesday, July 7, 2010

Back . . . .