Bredolab masked as Facebook Password Reset Confirmation


MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <service@facebook.com>” but the real SMTP from address is spoofed.

The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.

The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.

The body of the email:

Hey vguysville ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).

This Bredolab variant will create the files:

%AppData%\wiaservg.log
%Windir%\temp\wpv861256600826.exe
%Programs%\Startup\isqsys32.exe

It will also create the process isqsys32.exe and svchost.exe. The dll %Windir%\dsqstm6.dll is being loaded into the address space of Internet Explorer combined with several Windows registry edits.

It will attempt to connect with the remote hosts on port 80: 202.39.17.53 0, 217.23.7.162 and 95.211.27.211.

The data identified by the following URL was then requested from the remote web server:

hxxp://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045
hxxp://hostvegass.ru/cman/receiver/online
hxxp://wapdodoit.ru/mn/base.cfg
hxxp://www.whatsmyipaddress.com

Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.

[Update - 02/11/2009  5:30 PM local Belgian time]

New subject is being used:

Facebook Password Reset Confirmation. Help Centre.

Virus Total permlink and MD5: f69849928111bf764e3b1a0b39b684b7.

19 Responses to Bredolab masked as Facebook Password Reset Confirmation

  1. Al Allaway says:

    Just got this in – thanks for the article – circulating now!

    Al

  2. Karl says:

    Thanks . . .

    It hit Earthlink servers Oct 29th with the apparent return address:
    “The Facebook Team”

  3. n7377 says:

    Thanks for this article, It helps

  4. bolnnie says:

    thank you for this and other articles they help greatly

  5. DR D A HANSON says:

    Thank you for your efforts and deligence. As a member of the medical community, it is important that our computers remain stable. You are doiung a great service. Stay well, and be safe. Dr Hanson

  6. Deborah says:

    recv’d this 2 or 4 times but never opened it….I knew I didn’t request my password be changed so I ignored it!!!!!! thanks for the quick word on it being a bogus….

  7. Chinenye says:

    Thanks for the information. This makes internet safer for all the users. and we appreciates it.

  8. Dileep says:

    Very very thanks for the valuable information……..

  9. David Shantz says:

    Someone should track these people down, use their heads for a toilet brush (public).

  10. Adrian Cook says:

    Got this today (Feb 9 2010) so it is going the rounds again..

  11. Kiran says:

    I oppened the mail n downloaded a link n virus has hit my comp….ny solution?? my AVG anti virus is helpless :(

  12. TRUSTCS says:

    G’day guys,

    very good information! I got this emails as well but it didn’t hit me

    a) I wasn’t download the link
    b) I’m not working under Windows
    c) My boss have the admin rights so I have to ask before I get permission for download
    anything – it’s sometimes a bit stressful to ask but it protect my computer

    It’s very helpful to get your notification, so I can give the warning to my friends which are working under Windows, thank you for keep me informed.

    You’re doing a petty good job guys! Cheers,
    Sue

  13. TRUSTCS says:

    sorry TYPO: not ‘petty’ PRETTY ;)

  14. Ivanov says:

    I just received same mail. These people are criminals, I wish I could find them

  15. dimitris says:

    Hi! Is it dangerous for mac os x as well?? If yes how can I recognize it?

  16. John Magennis says:

    Hi, I received this 17 march and for the first time in 10 years computing was silly enough to open and get infected. Luckily was directed to bleepingcomputer and got a fix. Thankfully was quickly cleansed.
    This infection removed my anti-virus.

  17. B. Lachere says:

    Are Mac OSX computers vulnerable to this trojan?

    Thanks

  18. Michal Ambroz says:

    It seem that we can expect this trojan to be in rage again.
    DNS record of the site wapdodoit.ru got yesterdays about 200 of A records – most of them are probably hacked sites. TTL of the DNS record is 300 seconds, which means if one site is taken down in 10 minutes you will get address of another site.

    What is behind this? Is this just improving the availability of bulletproof hosting?
    Or is this something like “Stealing of data as Service” ?
    Mik

  19. lotfi hedhli says:

    I forget my password

Follow

Get every new post delivered to your Inbox.

Join 314 other followers

%d bloggers like this: