“Spam from your Facebook account” messages contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with tone of the following subjects:

Spam from your account
Spam from your Facebook account
Your password has been changed

The email is from “Facebook Abuse Department” containing a spoofed email address in the format ***@facebook.com, where the part before the @-sign contains different names starting with a capital, and has the following body:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it’s automatic mail notification!

Thank you for using our services.
FaceBook Service.

The attached ZIP file has the name Attached_SecurityCode08592.zip, where the number is choosen randomly, and contains the 33 kB large file Attached_SecurityCode.exe.

The trojan is known as W32/Trojan2.NNGG (Commtouch) and Troj/DwnLdr-IZR (Sophos). This trojan will install itself on the infected computer and has a build in SMTP engine for spreading its payload further by email.

The following files will be created:

%Temp%\_check32.bat
%Windir%\s32.txt
%System%\aspimgr.exe
%System%\document.doc
%Windir%\ws386.ini

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:

Remote Host Port Number
148.223.242.243 25
148.244.121.6 25
161.132.8.44 25
174.120.139.92 25
200.157.233.13 25
200.57.129.65 25
200.57.129.66 25
204.200.167.219 25
207.193.205.1 25
216.200.145.36 25
194.247.183.170 80
91.207.178.169 80

Data can be obtained from following URLs:

    • hxxp://cl63amgstart.ru:80/board.php
    • hxxp://campaigncommunications.ru/connect/load.php?file=document
    • hxxp://campaigncommunications.ru/connect/load.php?file=2
    • hxxp://campaigncommunications.ru/connect/load.php?file=3
    • hxxp://campaigncommunications.ru/connect/load.php?file=4
    • hxxp://campaigncommunications.ru/connect/load.php?file=5
    • hxxp://campaigncommunications.ru/connect/load.php?file=6
    • hxxp://campaigncommunications.ru/connect/load.php?file=7
    • hxxp://campaigncommunications.ru/connect/load.php?file=8
    • hxxp://campaigncommunications.ru/connect/load.php?file=9
    • hxxp://campaigncommunications.ru/connect/load.php?file=uploader
    • hxxp://campaigncommunications.ru/connect/load.php?file=0
    • hxxp://campaigncommunications.ru/connect/load.php?file=0&luck=1
    • hxxp://campaigncommunications.ru/connect/load.php?file=1
    • hxxp://campaigncommunications.ru/connect/load.php?file=1&luck=1

At the time of writing, only 2 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 72a45688ba03a9bfd3b3755c33843dcd.

“Facebook Support. Your password has been changed!” contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Facebook Support. Your password has been changed! ID09687″. Note that the number may change with each email.

The email is send from the spoofed addresses:

account@facebook.com
manager@facebook.com

The message has the following body:

Dear user of FaceBook.

Your password is not safe!
To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for your attention,
Your Facebook

The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.

The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).

The following files will be created:

%System%\document.doc

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.

Data can be obtained from following URLs:

  • hxxp://profmiale.ru/TGQW4nHJOS/document.doc
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
  • hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
  • hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.

“New Facebook password!” emails contains W32/Oficla.BC trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “New Facebook password!”

The email is send from the spoofed address “”Facebook Manager, Loraine Nwabeke” <juliancb@facebook.com>” and has the following body:

Dear user of facebook.
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.

The attachedZIP file has the name FaceBook_Password_Nr47825.zip and contains the 32 kB large file FaceBookDOC.exe.

The trojan is known as W32/Oficla.BC (Authentium), Heuristic.Trojan.SusPacked.TMS (ClamAV), Suspicious file (Panda).

The following files will be created:

%Temp%\1.tmp
%System%\hyli.igo

The following registry key is created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: 1a12dc605dbcecb119b53d1d896693ab.

New Bredolab variant target Facebook users


MX Lab intercepts a new Bredolab trojan variant masked as an email from Facebook sent from the spoofed email address The Facebook Team <change@facebook.com>. The subject of the message is “Facebook Password Reset Confirmation! Your Support.” and the body of the email contains the following content:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

As with the previous virus outbreak that targets Facebook users, this email contains instructions to open the attached document Facebook_password_357.zip. Once extracted the 56 kB big file Facebook_password_357.exe is available.

The trojan will create the following files on an infected system:

%Temp%\1.tmp
%System%\nnfj.tqo

The following Windows registry is created:

* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following Windows registry was modified:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
o Shell =

Facebook updated account agreement email contains Sasfis trojan


Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.

MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.

The campaign is send out with one of the following subjects:

Facebook updated account agreement
new Facebook account agreement
new account agreement

The content of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Confirmation Code #: 3233075834

The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.

Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.

The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 193.104.27.91. The following URLs are requested:

hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=1&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=300

Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.

Bredolab masked as Facebook Password Reset Confirmation


MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <service@facebook.com>” but the real SMTP from address is spoofed.

The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.

The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.

The body of the email:

Hey vguysville ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).

This Bredolab variant will create the files:

%AppData%\wiaservg.log
%Windir%\temp\wpv861256600826.exe
%Programs%\Startup\isqsys32.exe

It will also create the process isqsys32.exe and svchost.exe. The dll %Windir%\dsqstm6.dll is being loaded into the address space of Internet Explorer combined with several Windows registry edits.

It will attempt to connect with the remote hosts on port 80: 202.39.17.53 0, 217.23.7.162 and 95.211.27.211.

The data identified by the following URL was then requested from the remote web server:

hxxp://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045
hxxp://hostvegass.ru/cman/receiver/online
hxxp://wapdodoit.ru/mn/base.cfg
hxxp://www.whatsmyipaddress.com

Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.

[Update - 02/11/2009  5:30 PM local Belgian time]

New subject is being used:

Facebook Password Reset Confirmation. Help Centre.

Virus Total permlink and MD5: f69849928111bf764e3b1a0b39b684b7.

Follow

Get every new post delivered to your Inbox.

Join 288 other followers