Trojan poses as a Fake Microsoft Office update (Mar 13, 2014)


The Dell SonicWall Threats Research team has received reports of a Trojan posing as a Microsoft Office update opportunely timed with Patch Tuesday’s release two days ago. The Trojan periodically contacts a remote server and has the ability to download and install further components on the victim machine.

Infection Cycle:

Upon execution the Trojan compares its file name against the following two names that are commonly used by security researchers when naming their malware samples and terminates itself when it finds a match:

Figure 1: Common file names for malware samples

The trojan creates a copy of itself into the following location:

  • %APPDATA%MsOfficeOfficeUpdt.exe [Detected as GAV: FakeOff.MS (Trojan)]

It also creates the following files in the same location:

  • %APPDATA%MsOfficedb
  • %APPDATA%MsOfficedebug.txt (log file)

Figure 2: Sample of information written to this log file

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [MSOfficeUpdate] “%AppData%MsOfficeOfficeUpdt.exe”

The trojan periodically contacts a remote server and sends encrypted data from the log file:

Figure 3:Trojan connecting to a remote server

Figure 4:Sample of information sent to a remote server

The Trojan appears to be capable of supplementing itself with more functionalities by downloading and installing additional modules based on these strings found in its main executable:

Figure 5: Strings from the binary

But during our analysis, the only communication we received from the remote server had this content:

Figure 6: Sample content of communication received from the remote server

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakeOff.MS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.