This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 27 136 bytes in size. It is written in C++.
The Trojan copies its body to the Windows system directory as "oife.mro":
In order to ensure that it is launched automatically when the system is rebooted, the Trojan adds an entry to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe rundll32.exe oife.mro printer"
If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" = "1" "AccessVBOM" = "1"
It also executes a macro, through which the original body of the Trojan is launched for execution.
To ensure that its process is unique within the system, the Trojan creates a unique identifier:
Then, the Trojan creates a process named "svchost.exe" and injects its malicious code into the process's address space:
The Trojan sends a request to the following address:
At the time of writing, this link was inactive.
In response, it receives a configuration file for its subsequent functionality.
Links received from the configuration file for downloading other malicious files are saved by the Trojan in the following registry key:
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following files:
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?):
%Temporary Internet Files%
- Delete the following system registry key (see What is a system registry and how do I use it?):
- If necessary, restore the values of the "Level" and "AccessVBOM" parameters in the system registry key (see What is a system registry and how do I use it?):
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" "AccessVBOM"
- Restore the value of the system registry key parameter to the following (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe"
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).