Malware Trojan.Win32.Oficla.dxy

Posted: August 29, 2012 in Encyclopedia viruses
Tags:

Malware Trojan.Win32.Oficla.dxy – Trojan has a destructive effect on the user’s computer.

Technical details

Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE DLL-file). 20480 bytes in size. Written in C + +.

Installation

The Trojan copies its body to the current user’s temporary directory under the name “ibee.dwo”:

% Temp% \ ibee.dvo

To start automatically when you start the system, the Trojan adds an entry in the system registry:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe rundll32.exe% Temp% \ ibee.dwo bibltn”

Destructive activity

If the user’s computer was installed application “Microsoft Office”, the Trojan installs a low level of security, by writing the following values ​​in the registry key:

[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” = “1” “AccessVBOM” = “1”

And run macros through which runs the original body of the Trojan.
To control the process in a unique system, the Trojan creates a unique identifier with the name:

4025350706eeda32

The Trojan then creates a process named “svchost.exe” and injects its own address space of malicious code:

svchost.exe

Trojan sends a request to the following address:

http:// ** artcrip ** .com / full / bb.php

In response receives a configuration file to further their work.

Links to download other malicious files obtained from the configuration file, the Trojan stores in the following registry key:

[HKCR \ idid]

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).

Delete files:

% Temp% \ ibee.dvo

Clear the directory Temporary Internet Files, which may contain infected files:

% Temporary Internet Files%

Delete the registry key:

[HKCR \ idid]

If necessary, reset options “Level” and “AccessVBOM” in the registry key:

[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” “AccessVBOM”

Restore the value of a registry key to the following:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s