Malware Trojan.Win32.Oficla.dxy – Trojan has a destructive effect on the user’s computer.
Technical details
Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE DLL-file). 20480 bytes in size. Written in C + +.
Installation
The Trojan copies its body to the current user’s temporary directory under the name “ibee.dwo”:
% Temp% \ ibee.dvo
To start automatically when you start the system, the Trojan adds an entry in the system registry:
[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe rundll32.exe% Temp% \ ibee.dwo bibltn”
Destructive activity
If the user’s computer was installed application “Microsoft Office”, the Trojan installs a low level of security, by writing the following values in the registry key:
[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” = “1” “AccessVBOM” = “1”
And run macros through which runs the original body of the Trojan.
To control the process in a unique system, the Trojan creates a unique identifier with the name:
4025350706eeda32
The Trojan then creates a process named “svchost.exe” and injects its own address space of malicious code:
svchost.exe
Trojan sends a request to the following address:
http:// ** artcrip ** .com / full / bb.php
In response receives a configuration file to further their work.
Links to download other malicious files obtained from the configuration file, the Trojan stores in the following registry key:
[HKCR \ idid]
Removal
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Delete files:
% Temp% \ ibee.dvo
Clear the directory Temporary Internet Files, which may contain infected files:
% Temporary Internet Files%
Delete the registry key:
[HKCR \ idid]
If necessary, reset options “Level” and “AccessVBOM” in the registry key:
[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” “AccessVBOM”
Restore the value of a registry key to the following:
[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe”