New Oficla trojan in emails with subject "Your facebook password has been changed"

Bookmark and Share

A new trojan distribution campaign by email were intercepted by Ax3soft, the subject of this email may be "Facebook password details changed!", "Facebook password has been changed!" or "Facebook Password Reset Confirmation!".

The email is send from the some spoofed address, for example:  “information@facebook.com”,  "lhofmeis@facebook.com", "clinkard@facebook.com", "freshlix@facebook.com", "germanzetti@facebook.com", "blueyescc@facebook.com" or "stiftungen@facebook.com".

The body of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The attachedZIP file has the name Facebook_document.zip and contains the 36 kB large file Facebook_document.exe.

The trojan is known as Win32/Oficla.II (NOD), Trojan.Win32.Oficla.lh (Kaspersky), Troj/Mdrop-CWY (Sophos), Win32:Trojan-gen (Avast).

Create files as followings:

%Temp%\1.tmp
%System%\fvfj.sxo

Created the registry key as following :

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

 

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2  in time.

Appendix:

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm