New Bredolab variant target Facebook users

MX Lab intercepts a new Bredolab trojan variant masked as an email from Facebook sent from the spoofed email address The Facebook Team <change@facebook.com>. The subject of the message is “Facebook Password Reset Confirmation! Your Support.” and the body of the email contains the following content:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

As with the previous virus outbreak that targets Facebook users, this email contains instructions to open the attached document Facebook_password_357.zip. Once extracted the 56 kB big file Facebook_password_357.exe is available.

The trojan will create the following files on an infected system:

%Temp%\1.tmp
%System%\nnfj.tqo

The following Windows registry is created:

* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following Windows registry was modified:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
o Shell =