From E-mail Attachment to Rogue AV

Trojan.Dropper.Oficla.O usually spreads via an e-mail attachment hidden behind a fake Microsoft® Office® Word Document icon for credibility. Upon execution, Trojan.Dropper.Oficla.O drops a dll file (dynamic link library)in the %temp% folder, which will also be copied afterwards in the %system% folder under a random name such aspgsb.lto (detected as Gen:Variant.Oficla.2).

The dll is injected into the svchost.exe process, followed by the deletion of the Trojan. In order to ensure its launch at each system startup, the Trojan modifies the following registry key: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]  Shell = Explorer.exe rundll32.exe random_dll random_api - where random_dll and random_api may look like a random string combination similar to: pgsb.lto csxyfxr.

The download component is its payload: the dll dropper tries to connect to a specific list of URLs, usually hosted in Russia, from where it will retrieve and automatically install a secondary piece of malware -Trojan.Downloader.ABBL.  As soon as the new downloader has successfully infected the system, it opens the door to a rogue security solution advertised as Security Essentials 2010 and detected by BitDefender®as Trojan.FakeAV.KZD.

Once the Rogue AV is “successfully” installed, additional changes are made to the registry  in order for Internet Explorer’s phishing filter and the Windows Task Manager (to prevent the user from killing its process) to be disabled. Moreover, the rogue automatically executes itself upon every Windows boot-up.

In order to stay safe, BitDefender® recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.

Information in this article is available courtesy of BitDefender virusresearcher Ovidiu Vişoiu.