MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the number may change with each email.
The email is send from the spoofed addresses:
account@facebook.com
manager@facebook.com
The message has the following body:
Dear user of FaceBook.
Your password is not safe!
To secure your account the password has been changed automatically.
Attached document contains a new password to your account and detailed information about new security measures.
Thank you for your attention,
Your Facebook
The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.
The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).
The following files will be created:
%System%\document.doc
Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.
Data can be obtained from following URLs:
- hxxp://profmiale.ru/TGQW4nHJOS/document.doc
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
- hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7
At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.
Related Posts
- Email with new password from Facebook Support contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your accou... - New Oficla trojan in emails with subject “Your facebook password has been changed”
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your facebook password has been changed″
The email is send from the spoofed address “You... - Facebook Password Has Been Changed…NOT!
We've already seen spam campaign theme that uses one of the famous Social Networking sites, Facebook. Like, Facebook Password Reset Confirmation, New login system, and Facebook updated account agreeme... - “United Parcel Service notification 48161” from UPS contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may v... - Spamvertised “Your password has been stolen!” Malware Campaign Circulating
http://1.bp.blogspot.com/_wICHhTiQmrA/TUBWbCpI5eI/AAAAAAAAE0Y/fhSI1bGZOTc/s72-c/facebook-logo.jpg A currently ongoing spamvertised campaign, attempts to impersonate the most popular social networking ... - Emails regarding an attached resume contains a trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email regarding a resume. The following subjects are possible:
Attached please find.
Here’s the file you w... - “New Facebook password!” emails contains W32/Oficla.BC trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Facebook password!”
The email is send from the spoofed address “&#... - Email with Guys & Dolls ZIP file contains trojan
MX Lab intercepted some emails with the subject “Ad third try” with attached a ZIP file named Guys & Dolls_displayad.zip.
The message comes from a spoofed email address and has the fol... - “You’ve got a fax” emails contains a trojan
MX Lab just intercepted some samples of a new trojan attached to emails with the subject “You’ve got a fax”. The body of the message contains an embedded JPEG file and attached a ZIP... - Email regarding Western Union transaction contains the Oficla trojan
MX Lab intercepted a new trojan variant in emails with the subject “The transfer is available to withdrawl. Western Union.” regarding a money transaction. The email is sent from the spoofe...
Posted on 12 April 2011. Tags: “Facebook, been, changed”, contains, password, support, Trojan
The above information is reprinted from and copyrighted © by MX Lab.
