Facebook updated account agreement email contains Sasfis trojan
November 7, 2009 7 Comments
Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.
MX Lab now intercepts a new Facebook virus campaign from the spoofed address <firstname.lastname@example.org> or similar.
The campaign is send out with one of the following subjects:
Facebook updated account agreement
new Facebook account agreement
new account agreement
The content of the email:
Dear Facebook user,
Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.
Please unzip the attached file and run “agreement.exe” by double-clicking it.
The Facebook Team
Confirmation Code #: 3233075834
The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).
MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.
Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.
The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 220.127.116.11. The following URLs are requested:
Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.