MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:
Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521
The email targets business users. It is quite common that an office print and scan center like a Xerox machine will send a scanned document by email to a recipient.
The body of the email:
Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461
For more information on Xerox products and solutions, please visit
http://www.xerox.com
The email contains a ZIP archive named XeroxN6204257.zip with the 32 kB large document Xerox_doc.exe inside. Note that the number of the ZIP archive matches the number in the subject line and will be different with each email.
The trojan is known as Gen:Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).
The following files will be created:
%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe
The following directories are created:
%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP
The Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe will be stopped. Do not be fooled, the Windows Security Center Service is a malicious service and has nothing to do with the legitimate service Security Center from Windows .
Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:
80.74.132.218
91.212.127.40
91.216.215.66
Data can be obtained from following URLs:
- hxxp://www.kollo.ch/images/cgi.exe
- hxxp://musiceng.ru/music/forum/index1.php
- hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
- hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1
At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- New Oficla trojan version in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contai... - New Oficla trojan in emails with subject “Your facebook password has been changed”
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your facebook password has been changed″
The email is send from the spoofed address “You... - Oficla trojan found in emails with subject “Please look my CV. Thank you.”
MX Lab started to intercept emails with the subject “Please look my CV. Thank you.” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), TrojanDropper:Win32/Oficla.G (Microsoft), T... - Trojan attached to “Scan from a Xerox WorkCentre” messages
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Scan from a Xerox WorkCentre P9275821″.
The email is send from the spoofed ... - New Oficla trojan in messages with subject “Changelog 07.06.2010″
MX Lab intercepted a new variant of the trojan Oficla in messages with the subject “Changelog 07.06.2010″. The from address is spoofed and choosen randomly.
Some samples of the email body:... - Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan
A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR... - Sasfis trojan present in emails with subject Statement of fees 2009/2010
MX Lab intercepted messages with the subject “Statement of fees 2009/2010″ that contains the Sasfis trojan attached in a ZIP archive. The email is send from various spoofed email addresses... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - UPS Spam Mail
Emsisoft Labs are always on the lookout for something out of the ordinary happening, and we recently came across a circulation of spam portraying as fake FedEx Emails. Emsisoft Anti-Malware will det... - Emails with subject “So now you’re on LinkedIn: What’s next?″ lead to malware
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a fol...
Posted on 18 July 2010. Tags: “Scan, emails, Gen:Variant Oficla 4, Oficla, Pro”, subject, Trojan, WorkCentre, Xerox
