Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.
MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.
The campaign is send out with one of the following subjects:
Facebook updated account agreement
new Facebook account agreement
new account agreement
The content of the email:
Dear Facebook user,
Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.Please unzip the attached file and run “agreement.exe” by double-clicking it.
Thanks,
The Facebook TeamConfirmation Code #: 3233075834
The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).
MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.
Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.
The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 193.104.27.91. The following URLs are requested:
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=1&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=300
Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.
6 Comments
Comments RSS TrackBack Identifier URI
Leave a comment
I have been infected by this virus in exactly the way described. I received 100s of spoof emails supposedly from Facebook and in a moment of weakness decided top open one. BitDEfender identified the virus but has not been able to disinfect or quarantine the file so has blocked the file: ifmq.kqo. At this stage I am uncertain of the implications of this. It is causing some problems logging into the internet.
[...] of a grammatical error, and the fact that the email address is not used with a Facebook account; a quick google foo reveals that the attachment provided, disguised as an update to your account agreement, is a trojan [...]
That’s why you should never open files from unknown sources…
[...] .com 021107d91129.bourgum .com Naturally, the campaign isn't an isolated incident, with previous "Facebook updated account agreement" themed ones, using the same phone back locations as the currently ongoing one. Related posts: Ongoing [...]
nenad ima 36 godina
[...] Uptick in Trojan.Sasfis Emails I am seeing an uptick in Trojans (specifically Sasfis) being posted to my “spammy” and personal accounts. Watch out for the classic “UPS Delivery” and “UPS Delivery Problem” mailings. This is the same malware that was tapping Facebook users back in November (http://blog.mxlab.eu/2009/11/07/facebook-updated-account-agreement-email-contains-sasfis-trojan/). [...]