Facebook message with link to striptease video leads to malware


A message from Facebook Mail with in the subject line “FaceBook message: Magnificent Striptease Dance (Last rated by Lorena Keyes)” contains an URL that leads to a host with malware.

Some alternative subjects are:

FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

The body of the email:

Messages from Your Friends on Facebook, March 19, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 14, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.default.personalid-f58xc9cp8.launchpad.videosshared.com/home.htm?/efsonline/application=3l6mwjxsb1kpema

Message ID: FB-wtq2w9w5ig7z5gf
2009 Facebook community, Message Center.

The URL will lead to the Facebook look-a-like web site where the video is proposed.

From this page on you are required to download the newest Adobe Flash player. The file itself is presented as Flash_Adobe11.exe and is the same malware as in the Comcast High Speed Self Installation Kit malware posted earlier today.

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 318 other followers

%d bloggers like this: