Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > O

Threat Encyclopaedia

Print this pageSend

Win32/Oficla.EF

Aliases:Trojan.Sasfis (Symantec), TrojanDropper:Win32/Oficla.G (Microsoft) 
Type of infiltration:Trojan  
Size:19968 B 
Affected platforms:Microsoft Windows 
Signature database version:4912 (20100303) 

Short description

Win32/Oficla.EF is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:
  • %system%\nynw.wmo (20992 B)
  • %temp%\%variable1%.tmp (20992 B)
A string with variable content is used instead of %variable1%.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon]
    "Shell" = "* rundll32.exe nynw.wmo mynleeq"
The following Registry entries are set:
  • [HKEY_CLASSES_ROOT\idid]
    "op" = %variable2%
    "url%variable3%" = %variable4%
A string with variable content is used instead of *, %variable2-4%.

Other information

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
The trojan may create the following files:
  • %temp%\%variable5%.tmp
A string with variable content is used instead of %variable5%.

The trojan may set the following Registry entries:
  • [HKEY_CURRENT_USER\Software\Microsoft\Office\%variable6%\
    Word\Security]
    "VBAWarnings" = 1
    "Level" = 1
    "AccessVBOM" = 1
A string with variable content is used instead of %variable6%.