Malware Trojan.Win32.Oficla.ebb

Posted: August 29, 2012 in Encyclopedia viruses
Tags:

Malware Trojan.Win32.Oficla.ebb – Trojan has a destructive effect on the user’s computer.

Technical details

Trojan has a destructive effect on the user’s computer. The program itself is a Windows (PE DLL-file). 20480 bytes in size. Written in C + +.

Installation

The Trojan copies its body to the current user’s temporary directory under the name “mifs.pbo”:

% Temp% \ mifs.pbo

To start automatically when you start the system, the Trojan adds an entry in the system registry:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon] “Shell” = “Explorer.exe rundll32.exe% Temp% \ mifs.pbo ntjtstl”

Destructive activity

If the user’s computer was installed application “Microsoft Office”, the Trojan installs a low level of security, by writing the following values ​​in the registry key:

[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” = “1” “AccessVBOM” = “1”

And run macros through which runs the original body of the Trojan.

To control the process in a unique system, the Trojan creates a unique identifier with the name:

147473761757e6b5d1

The Trojan then creates a process named “svchost.exe” and injects its own address space of malicious code:

svchost.exe

Trojan sends a request to the following address:

http:// **** khgj.com / full / bb.php

In response receives a configuration file to further their work. Links to download other malicious files obtained from the configuration file, the Trojan stores in the following registry key:

[HKCR \ idid]

Removal

If your computer was not protected by Antivirus and is infected with this malware, then delete the following steps:

Delete the original Trojan file (the location of the victim will depend on how the program originally penetrated the victim machine).
Delete files:

% Temp% \ mifs.pbo

Clear the directory Temporary Internet Files, which may contain infected files:

% Temporary Internet Files%

Delete the registry key:

[HKCR \ idid]

If necessary, reset options “Level” and “AccessVBOM” in the registry key:

[HKCU \ Software \ Microsoft \ Office \ 11.0 \ Word \ Security] “Level” “AccessVBOM”

Restore the value of a registry key to the following:

[HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s