Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”

July 17, 2010 1 Comment

MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. It is quite common that an office print and scan center like a Xerox machine will send a scanned document by email to a recipient.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

The email contains a ZIP archive named XeroxN6204257.zip with the 32 kB large document Xerox_doc.exe inside. Note that the number of the ZIP archive matches the number in the subject line and will be different with each email.

The trojan is known as Gen:Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).

The following files will be created:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

The Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe will be stopped. Do not be fooled, the Windows Security Center Service is a malicious service and has nothing to do with the legitimate service Security Center from Windows .

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

  • hxxp://www.kollo.ch/images/cgi.exe
  • hxxp://musiceng.ru/music/forum/index1.php
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
  • hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

Filed under Viruses Tagged with , , , , ,

One Response to Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”

  1. lisa says:
    July 18, 2010 at 1:03 pm

    i have received 3 of these in less than 24 hrs, i am not a business user, i thought they were dodgy, so haven’t opened them, avg hasn’t detected anything, then avg never does detect anything wrong with emails

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 108 other followers