From E-mail Attachment to Rogue AV

The postman may ring twice, but Oficla does it thrice. A simple e-mail attachment opens the way for Trojans and rogue AV on unprotected PCs.

Trojan.Dropper.Oficla.O usually spreads via an e-mail attachment hidden behind a fake Microsoft® Office® Word Document icon for credibility. Upon execution, Trojan.Dropper.Oficla.O drops a dll file (dynamic link library)in the %temp% folder, which will also be copied afterwards in the %system% folder under a random name such aspgsb.lto (detected as Gen:Variant.Oficla.2).

The dll is injected into the svchost.exe process, followed by the deletion of the Trojan. In order to ensure its launch at each system startup, the Trojan modifies the following registry key: [HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon]  Shell = Explorer.exe rundll32.exe random_dll random_api - where random_dll and random_api may look like a random string combination similar to: pgsb.lto csxyfxr.

The download component is its payload: the dll dropper tries to connect to a specific list of URLs, usually hosted in Russia, from where it will retrieve and automatically install a secondary piece of malware –Trojan.Downloader.ABBL.  As soon as the new downloader has successfully infected the system, it opens the door to a rogue security solution advertised as Security Essentials 2010 and detected by BitDefender®as Trojan.FakeAV.KZD.

security essentials 2010

Once the Rogue AV is “successfully” installed, additional changes are made to the registry  in order for Internet Explorer’s phishing filter and the Windows Task Manager (to prevent the user from killing its process) to be disabled. Moreover, the rogue automatically executes itself upon every Windows boot-up.

security essentials 2010

In order to stay safe, BitDefender® recommends that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to manifest extra caution when prompted to open files from unfamiliar locations.

Information in this article is available courtesy of BitDefender virusresearcher Ovidiu ViÅŸoiu.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.