Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Oficla.EF

Aliases:Trojan.Sasfis (Symantec), TrojanDropper:Win32/Oficla.G (Microsoft) 
Type of infiltration:Trojan  
Size:19968 B 
Affected platforms:Microsoft Windows 
Signature database version:4912 (20100303) 

Short description

Win32/Oficla.EF is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:
  • %system%nynw.wmo (20992 B)
  • %temp%%variable1%.tmp (20992 B)
A string with variable content is used instead of %variable1%.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "Shell" = "* rundll32.exe nynw.wmo mynleeq"
The following Registry entries are set:
  • [HKEY_CLASSES_ROOTidid]
    "op" = %variable2%
    "url%variable3%" = %variable4%
A string with variable content is used instead of *, %variable2-4%.

Other information

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
The trojan may create the following files:
  • %temp%%variable5%.tmp
A string with variable content is used instead of %variable5%.

The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftOffice%variable6%
    WordSecurity]
    "VBAWarnings" = 1
    "Level" = 1
    "AccessVBOM" = 1
A string with variable content is used instead of %variable6%.