MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Facebook password!”
The email is send from the spoofed address “”Facebook Manager, Loraine Nwabeke” <juliancb@facebook.com>” and has the following body:
Dear user of facebook.
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.
The attachedZIP file has the name FaceBook_Password_Nr47825.zip and contains the 32 kB large file FaceBookDOC.exe.
The trojan is known as W32/Oficla.BC (Authentium), Heuristic.Trojan.SusPacked.TMS (ClamAV), Suspicious file (Panda).
The following files will be created:
%Temp%\1.tmp
%System%\hyli.igo
The following registry key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
The following registry key is modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =
At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permlink and MD5: 1a12dc605dbcecb119b53d1d896693ab.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- Email with new password from Facebook Support contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your accou... - Emails regarding an attached resume contains a trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email regarding a resume. The following subjects are possible:
Attached please find.
Here’s the file you w... - New Oficla trojan in emails with subject “Your facebook password has been changed”
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your facebook password has been changed″
The email is send from the spoofed address “You... - “You’ve got a fax” emails contains a trojan
MX Lab just intercepted some samples of a new trojan attached to emails with the subject “You’ve got a fax”. The body of the message contains an embedded JPEG file and attached a ZIP... - Emails with 30-day trials of McAfee VirusScan Plus contains trojan
MX Lab intercepted emails with the subject “McAfee VirusScan Plus” that contains a virus. The from address is in the format “xxx.be Member Services” <support@xxxxx.be> bu... - Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan
A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR... - “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - “Facebook Support. Your password has been changed!” contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the nu... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - “United Parcel Service notification 48161” from UPS contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may v...
Posted on 24 September 2010. Tags: “New, contains, emails, Facebook, password”, Trojan, W32/Oficla.BC
