2 min read

From E-mail Attachment to Rogue AV

Loredana BOTEZATU

May 14, 2010

Promo Protect all your devices, without slowing them down.
Free 30-day trial
From E-mail Attachment to Rogue AV

Trojan.Dropper.Oficla.O usually spreads via an e-mail attachment hidden behind a fake Microsoft® Office® Word Document icon for credibility. Upon execution, Trojan.Dropper.Oficla.O drops a dll file (dynamic link library)in the %temp% folder, which will also be copied afterwards in the %system% folder under a random name such aspgsb.lto (detected as Gen:Variant.Oficla.2).

The dll is injected into the svchost.exe process, followed by the deletion of the Trojan. In order to ensure its launch at each system startup, the Trojan modifies the following registry key: [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon] Shell = Explorer.exe rundll32.exe random_dll random_apiwhere random_dll and random_api may look like a random string combination similar to: pgsb.lto csxyfxr.

The download component is its payload: the dll dropper tries to connect to a specific list of URLs, usually hosted in Russia, from where it will retrieve and automatically install a secondary piece of malware –Trojan.Downloader.ABBL. As soon as the new downloader has successfully infected the system, it opens the door to a rogue security solution advertised as Security Essentials 2010 and detected by BitDefender® as Trojan.FakeAV.KZD.

security essentials 2010

Once the Rogue AV is “successfully” installed, additional changes are made to the registry in order for Internet Explorer`s phishing filter and the Windows Task Manager (to prevent the user from killing its process) to be disabled. Moreover, the rogue automatically executes itself upon every Windows boot-up.

security essentials 2010

In order to stay safe, BitDefender® recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.

Information in this article is available courtesy of BitDefender virusresearcher Ovidiu ViÅŸoiu.

tags


Author


Loredana BOTEZATU

A blend of product manager and journalist with a pinch of e-threat analysis, Loredana writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair.

View all posts

You might also like

Bookmarks


loader