Bredolab masked as Facebook Password Reset Confirmation
October 27, 2009 18 Comments
MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <service@facebook.com>” but the real SMTP from address is spoofed.
The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.
The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.
The body of the email:
Hey vguysville ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.Thanks,
The Facebook Team
Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).
This Bredolab variant will create the files:
%AppData%\wiaservg.log
%Windir%\temp\wpv861256600826.exe
%Programs%\Startup\isqsys32.exe
It will also create the process isqsys32.exe and svchost.exe. The dll %Windir%\dsqstm6.dll is being loaded into the address space of Internet Explorer combined with several Windows registry edits.
It will attempt to connect with the remote hosts on port 80: 202.39.17.53 0, 217.23.7.162 and 95.211.27.211.
The data identified by the following URL was then requested from the remote web server:
hxxp://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045
hxxp://hostvegass.ru/cman/receiver/online
hxxp://wapdodoit.ru/mn/base.cfg
hxxp://www.whatsmyipaddress.com
Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.
[Update - 02/11/2009 5:30 PM local Belgian time]
New subject is being used:
Facebook Password Reset Confirmation. Help Centre.
Virus Total permlink and MD5: f69849928111bf764e3b1a0b39b684b7.
Just got this in – thanks for the article – circulating now!
Al
Thanks . . .
It hit Earthlink servers Oct 29th with the apparent return address:
“The Facebook Team”
Thanks for this article, It helps
thank you for this and other articles they help greatly
Thank you for your efforts and deligence. As a member of the medical community, it is important that our computers remain stable. You are doiung a great service. Stay well, and be safe. Dr Hanson
recv’d this 2 or 4 times but never opened it….I knew I didn’t request my password be changed so I ignored it!!!!!! thanks for the quick word on it being a bogus….
Thanks for the information. This makes internet safer for all the users. and we appreciates it.
Very very thanks for the valuable information……..
Someone should track these people down, use their heads for a toilet brush (public).
Got this today (Feb 9 2010) so it is going the rounds again..
I oppened the mail n downloaded a link n virus has hit my comp….ny solution?? my AVG anti virus is helpless
G’day guys,
very good information! I got this emails as well but it didn’t hit me
a) I wasn’t download the link
b) I’m not working under Windows
c) My boss have the admin rights so I have to ask before I get permission for download
anything – it’s sometimes a bit stressful to ask but it protect my computer
It’s very helpful to get your notification, so I can give the warning to my friends which are working under Windows, thank you for keep me informed.
You’re doing a petty good job guys! Cheers,
Sue
sorry TYPO: not ‘petty’ PRETTY
I just received same mail. These people are criminals, I wish I could find them
Hi! Is it dangerous for mac os x as well?? If yes how can I recognize it?
Hi, I received this 17 march and for the first time in 10 years computing was silly enough to open and get infected. Luckily was directed to bleepingcomputer and got a fix. Thankfully was quickly cleansed.
This infection removed my anti-virus.
Are Mac OSX computers vulnerable to this trojan?
Thanks
It seem that we can expect this trojan to be in rage again.
DNS record of the site wapdodoit.ru got yesterdays about 200 of A records – most of them are probably hacked sites. TTL of the DNS record is 300 seconds, which means if one site is taken down in 10 minutes you will get address of another site.
What is behind this? Is this just improving the availability of bulletproof hosting?
Or is this something like “Stealing of data as Service” ?
Mik