My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Trojan.Oficla uses office application file to hide itself and forms botnet

March 24, 2010

Doctor Web — the leading Russian anti-virus vendor — issues a warning for users as Trojan.Oficla programs spread widely over the Internet with the number of their detections per week exceeding 100 000. Once such a program has infected the system, it hides its malicious activities and creates a winword.exe process (if Microsoft Word is installed in the system). After that Trojan.Oficla makes the machine a member of a botnet and allows intruders to run other malicious programs in the system.

Currently Trojan.Oficla Oficla (also known as myLoader) spread with spam or exploit browser vulnerabilities to get into a system. It is likely that in the future cyber-criminals will come to use other channels for spreading the malware to infect as many machines as possible.

Besides, various modifications of this Trojan horse are offered for sale to other criminals on special web-sites at a price ranging from $450 to $700.

With Trojan.Oficla a criminal can create a botnet of his own and there are already confirmed instances of detections of installed botnet administration modules on various sites.

ПOnce the system is infected, owners of the botnet formed using Trojan.Oficla gain control over the compromised machine. In particular they can download, install and run any other malicious program in the system.

Trojan.Oficla can also bypass popular firewalls and evade detection by anti-viruses. The program can use the winword.exe file for this purpose if Microsoft Word is installed in the system. Trojan.Oficla Oficla uses this process to hide its presence in the system and complicates the system’s analysis. If MS Word is not installed on the computer, Trojan.Oficla injects its code into the svchost.exe process.

Doctor Web’s virus analysts monitor spreading of malicious programs belonging to the Trojan.Oficla family. Users of Dr.Web products are recommended to enable automatic updating of virus databases and anti-virus components and perform regular scans of disks in protected systems to prevent their infection by such malicious programs.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments