MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your facebook password has been changed″
The email is send from the spoofed address “Your Facebook <information@facebook.com>” and has the following body:
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.
The attachedZIP file has the name Facebook_document.zip and contains the 36 kB large file Facebook_document.exe.
The trojan is known as Win32/Oficla.II (NOD), Trojan.Win32.Oficla.lh (Kaspersky), Troj/Mdrop-CWY (Sophos), Win32:Trojan-gen (Avast).
The following files will be created:
%Temp%\1.tmp
%System%\fvfj.sxo
The following registry key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid
The following registry key is modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =
Virus Total permlink and MD5: de52c0b214dd3592e0dae23a9acc343c.
View full post on mxlab – all about anti virus and anti spam
Related Posts
- “Facebook Support. Your password has been changed!” contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the nu... - New Oficla trojan version in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contai... - Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email addres... - Oficla trojan found in emails with subject “Please look my CV. Thank you.”
MX Lab started to intercept emails with the subject “Please look my CV. Thank you.” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), TrojanDropper:Win32/Oficla.G (Microsoft), T... - Facebook Password Has Been Changed…NOT!
We've already seen spam campaign theme that uses one of the famous Social Networking sites, Facebook. Like, Facebook Password Reset Confirmation, New login system, and Facebook updated account agreeme... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - Email with new password from Facebook Support contains trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your accou... - “New Facebook password!” emails contains W32/Oficla.BC trojan
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Facebook password!”
The email is send from the spoofed address “&#... - New Oficla trojan in messages with subject “Changelog 07.06.2010″
MX Lab intercepted a new variant of the trojan Oficla in messages with the subject “Changelog 07.06.2010″. The from address is spoofed and choosen randomly.
Some samples of the email body:... - Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan
A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR...
Posted on 16 September 2010. Tags: “YOUR, been, changed”, emails, Facebook, Oficla, password, subject, Trojan
