Oficla Trojan spam campaigns

July 9, 2010

SonicWALL UTM Research team observed multiple spam campaigns in last 3 days involving Oficla Trojan. SonicWALL has received more than 10,000 e-mail copies from these spam campaigns till now. The e-mail messages contains a zip archived attachment which has the new variant of Oficla Trojan executable.

E-mail format from these spam campaigns are shown below:

Campaign #1 - Changelog document spam

Attachment: Changelog_05_07_2010.zip (contains Changelog_05_07_2010.DOC.exe)

Subject: Your log 06.07.2010

Email Body:
Good afternoon,
as promised your changelog is attached,

The email message looks like:


Campaign #2 - Fees document spam

Attachment: Fees_2010.zip (contains Fees_2010.DOC.exe)

Subject: Your fees 2010

Email Body:
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gina Martinez

The email message looks like:


The executable files inside the attachment has an icon disguised as a Microsoft Word document file:


If the user opens the malicious attachment then it performs following activities on the victim machine:

  • Connects to a predetermined C&C server and sends system information. The server responds back with command to download & run malware executable and also contains backup URLs for the C&C server.


  • Drops following malicious executable files some of which gets downloaded from URLs received via C&C server:
    • (Temp)10.tmp - Detected as GAV: Bredolab.PCK (Trojan)
    • (Temp)14.tmp - Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)15.tmp - Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)F.tmp - Detected as GAV: Oficla_8 (Trojan)
    • (System)thxr.wgo - Detected as GAV: Oficla_8 (Trojan)
  • Injects F.tmp into svchost.exe process.
  • Deletes the original copy of the file that was opened by the user.
  • Modifies following registry entry to ensure thnxr.wgo gets injected on every system restart:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: "Explorer.exe rundll32.exe thxr.wgo nwfdtx"
  • Creates following registry entry to store the backup C&C server URLs in hexadecimal format:
    • HKLMSOFTWAREClassesididurl1: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl2: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl3: (URL in hexadecimal format)

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant by GAV: Oficla.GW_2 (Trojan) signature.