“Spam from your Facebook account” messages contains trojan
April 28, 2011 3 Comments
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with tone of the following subjects:
Spam from your account
Spam from your Facebook account
Your password has been changed
The email is from “Facebook Abuse Department” containing a spoofed email address in the format ***@facebook.com, where the part before the @-sign contains different names starting with a capital, and has the following body:
Dear client
Spam is sent from your FaceBook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.Please do not reply to this email, it’s automatic mail notification!
Thank you for using our services.
FaceBook Service.
The attached ZIP file has the name Attached_SecurityCode08592.zip, where the number is choosen randomly, and contains the 33 kB large file Attached_SecurityCode.exe.
The trojan is known as W32/Trojan2.NNGG (Commtouch) and Troj/DwnLdr-IZR (Sophos). This trojan will install itself on the infected computer and has a build in SMTP engine for spreading its payload further by email.
The following files will be created:
%Temp%\_check32.bat
%Windir%\s32.txt
%System%\aspimgr.exe
%System%\document.doc
%Windir%\ws386.ini
Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:
| Remote Host | Port Number |
| 148.223.242.243 | 25 |
| 148.244.121.6 | 25 |
| 161.132.8.44 | 25 |
| 174.120.139.92 | 25 |
| 200.157.233.13 | 25 |
| 200.57.129.65 | 25 |
| 200.57.129.66 | 25 |
| 204.200.167.219 | 25 |
| 207.193.205.1 | 25 |
| 216.200.145.36 | 25 |
| 194.247.183.170 | 80 |
| 91.207.178.169 | 80 |
Data can be obtained from following URLs:
- hxxp://cl63amgstart.ru:80/board.php
- hxxp://campaigncommunications.ru/connect/load.php?file=document
- hxxp://campaigncommunications.ru/connect/load.php?file=2
- hxxp://campaigncommunications.ru/connect/load.php?file=3
- hxxp://campaigncommunications.ru/connect/load.php?file=4
- hxxp://campaigncommunications.ru/connect/load.php?file=5
- hxxp://campaigncommunications.ru/connect/load.php?file=6
- hxxp://campaigncommunications.ru/connect/load.php?file=7
- hxxp://campaigncommunications.ru/connect/load.php?file=8
- hxxp://campaigncommunications.ru/connect/load.php?file=9
- hxxp://campaigncommunications.ru/connect/load.php?file=uploader
- hxxp://campaigncommunications.ru/connect/load.php?file=0
- hxxp://campaigncommunications.ru/connect/load.php?file=0&luck=1
- hxxp://campaigncommunications.ru/connect/load.php?file=1
- hxxp://campaigncommunications.ru/connect/load.php?file=1&luck=1
At the time of writing, only 2 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: 72a45688ba03a9bfd3b3755c33843dcd.
Pingback: FacebookからYour password is Changedというメール—危険! | パソコンドクターWIN
i think that probably you feel that it was a virus in my facebook but it wasn´t that, it was me sending daily mail´s to a people who lives around here and it can be like a promotional menu of my little restaurant.
that´s why a beg you, to please return my account to send this kind off messages.please
please i need an answer from you guys.
i cant log in my facebook. I think it may be spam.i have add strange person so now am asking great apologiz.i cant leave with out facebook,my all friends.