Oficla Trojan spam campaigns (July 9, 2010)


SonicWALL UTM Research team observed multiple spam campaigns in last 3 days involving Oficla Trojan. SonicWALL has received more than 10,000 e-mail copies from these spam campaigns till now. The e-mail messages contains a zip archived attachment which has the new variant of Oficla Trojan executable.

E-mail format from these spam campaigns are shown below:

Campaign #1 – Changelog document spam

Attachment: Changelog_05_07_2010.zip (contains Changelog_05_07_2010.DOC.exe)

Subject: Your log 06.07.2010

Email Body:
Good afternoon,
as promised your changelog is attached,

The email message looks like:


Campaign #2 – Fees document spam

Attachment: Fees_2010.zip (contains Fees_2010.DOC.exe)

Subject: Your fees 2010

Email Body:
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gina Martinez

The email message looks like:


The executable files inside the attachment has an icon disguised as a Microsoft Word document file:


If the user opens the malicious attachment then it performs following activities on the victim machine:

  • Connects to a predetermined C&C server and sends system information. The server responds back with command to download & run malware executable and also contains backup URLs for the C&C server.


  • Drops following malicious executable files some of which gets downloaded from URLs received via C&C server:
    • (Temp)10.tmp – Detected as GAV: Bredolab.PCK (Trojan)
    • (Temp)14.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)15.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)F.tmp – Detected as GAV: Oficla_8 (Trojan)
    • (System)thxr.wgo – Detected as GAV: Oficla_8 (Trojan)
  • Injects F.tmp into svchost.exe process.
  • Deletes the original copy of the file that was opened by the user.
  • Modifies following registry entry to ensure thnxr.wgo gets injected on every system restart:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe thxr.wgo nwfdtx”
  • Creates following registry entry to store the backup C&C server URLs in hexadecimal format:
    • HKLMSOFTWAREClassesididurl1: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl2: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl3: (URL in hexadecimal format)

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant by GAV: Oficla.GW_2 (Trojan) signature.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.