New Oficla trojan variant targets Facebook users

MX Lab detected a new variant of the Oficla trojan that targets Facebook users and provides instructions on how to use the new password for their online Facebook account.

The emails is send from the spoofed email address The Facebook Team <profile@facebook.com> with subjects like for example:

Facebook Password Reset Confirmation! Customer Message.
Facebook Password Reset Confirmation! Customer Support.
Facebook Password Reset Confirmation! Important Message.
Facebook Password Reset Confirmation! Support Message.
Facebook Password Reset Confirmation! Your support.

The content of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The email contains the attachment Facebook_document_Nr1637.zip – where the last 4 digits ay vary – that contains the executable 48 kB large Facebook_document_Nr1637.exe once extracted.

The trojan is known as Trojan:Win32/Oficla.M (Microsoft), Trojan-Downloader:W32/Oficla.Y (F-Secure) or TR/Crypt.ZPACK.Gen (Antivir).

The trojan will attempt to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. The Win32/FakeScanti family of trojans will present themselfs as being genuine anti virus programs but instead are malware and display fake warning of possible virus infections on your system. As a user you will be offered to register and pay for the so-called anti virus software.

The following files are being created:

%Temp%\1.tmp
%System%\ngts.vao

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from hxxp://designfolkov.ru/hules/bb.php?v=200&id=256235564&b=26aprela&tm=2.