Virus:TR/Oficla.W.1
Date discovered:14/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:862528 Bytes
MD5 checksum:41B2DBB997CE5FF443DD5594EB6BCFF2
IVDF version:7.10.09.86 - Wednesday, July 14, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  F-Secure: Trojan-Downloader:W32/Oficla.GX
   •  Sophos: Mal/FakeAV-BW


Platforms / OS:
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Registry modification
   • Steals information

 Files  It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\svrwsc.exe



The following file is created:

– Non malicious file:
   • %WINDIR%\Debug\UserMode\userenv.log

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=hex(2):%hex values%
   • "DisplayName"="Windows Security Center Service"
   • "ObjectName"="LocalSystem"
   • "Description"="The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."
   •

– [HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Security]
   • "Security"=hex:%hex values%



The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc\Enum]
   • "0"="Root\LEGACY_SVRWSC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC\0000]
   • "Service"="SvrWsc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Windows Security Center Service"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\DirectX\MSA]
   • "ver"=hex(b):cd,a2,c7,01,38,6b,01,d1
   • "X1"=hex:%hex values%

– [HKLM\SOFTWARE\Microsoft\DirectX\MSB]
   • "X1"=hex:00,00,00,00

 Backdoor Contact server:
The following:
   • m**********ng.ru/music/forum/index1.php

Besides, it periodically repeats the connection. This is done via the HTTP POST method using a PHP script.

Description inserted by Patrick Schoenherr on Wednesday, July 14, 2010
Description updated by Patrick Schoenherr on Wednesday, July 14, 2010

Back . . . .