Spam from your account
Spam from your Facebook account
Your password has been changed

The email is from “Facebook Abuse Department” containing a spoofed email address in the format ***@facebook.com, where the part before the @-sign contains different names starting with a capital, and has the following body:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it’s automatic mail notification!

Thank you for using our services.
FaceBook Service.

The attached ZIP file has the name Attached_SecurityCode08592.zip, where the number is choosen randomly, and contains the 33 kB large file Attached_SecurityCode.exe.

The trojan is known as W32/Trojan2.NNGG (Commtouch) and Troj/DwnLdr-IZR (Sophos). This trojan will install itself on the infected computer and has a build in SMTP engine for spreading its payload further by email.

The following files will be created:

%Temp%\_check32.bat
%Windir%\s32.txt
%System%\aspimgr.exe
%System%\document.doc
%Windir%\ws386.ini

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:

Data can be obtained from following URLs:

• hxxp://cl63amgstart.ru:80/board.php
• hxxp://campaigncommunications.ru/connect/load.php?file=document
• hxxp://campaigncommunications.ru/connect/load.php?file=2
• hxxp://campaigncommunications.ru/connect/load.php?file=3
• hxxp://campaigncommunications.ru/connect/load.php?file=4
• hxxp://campaigncommunications.ru/connect/load.php?file=5
• hxxp://campaigncommunications.ru/connect/load.php?file=6
• hxxp://campaigncommunications.ru/connect/load.php?file=7
• hxxp://campaigncommunications.ru/connect/load.php?file=8
• hxxp://campaigncommunications.ru/connect/load.php?file=9
• hxxp://campaigncommunications.ru/connect/load.php?file=uploader
• hxxp://campaigncommunications.ru/connect/load.php?file=0
• hxxp://campaigncommunications.ru/connect/load.php?file=0&luck=1
• hxxp://campaigncommunications.ru/connect/load.php?file=1
• hxxp://campaigncommunications.ru/connect/load.php?file=1&luck=1

At the time of writing, only 2 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 72a45688ba03a9bfd3b3755c33843dcd.

The email is send from the spoofed addresses:

account@facebook.com
manager@facebook.com

The message has the following body:

Dear user of FaceBook.

Your password is not safe!
To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for your attention,
Your Facebook

The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.

The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).

The following files will be created:

%System%\document.doc

Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.

Data can be obtained from following URLs:

• hxxp://profmiale.ru/TGQW4nHJOS/document.doc
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
• hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
• hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7

At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.

The email is send from the spoofed address “”Facebook Manager, Loraine Nwabeke” <juliancb@facebook.com>” and has the following body:

Dear user of facebook.
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.

The attachedZIP file has the name FaceBook_Password_Nr47825.zip and contains the 32 kB large file FaceBookDOC.exe.

The trojan is known as W32/Oficla.BC (Authentium), Heuristic.Trojan.SusPacked.TMS (ClamAV), Suspicious file (Panda).

The following files will be created:

%Temp%\1.tmp
%System%\hyli.igo

The following registry key is created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

At the time of writing, only 4 of the 43 AV engines did detect the trojan at Virus Total.

Virus Total permlink and MD5: 1a12dc605dbcecb119b53d1d896693ab.

The emails is send from the spoofed email address The Facebook Team <profile@facebook.com> with subjects like for example:

Facebook Password Reset Confirmation! Customer Message.
Facebook Password Reset Confirmation! Customer Support.
Facebook Password Reset Confirmation! Important Message.
Facebook Password Reset Confirmation! Support Message.
Facebook Password Reset Confirmation! Your support.

The content of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The email contains the attachment Facebook_document_Nr1637.zip – where the last 4 digits ay vary – that contains the executable 48 kB large Facebook_document_Nr1637.exe once extracted.

The trojan is known as Trojan:Win32/Oficla.M (Microsoft), Trojan-Downloader:W32/Oficla.Y (F-Secure) or TR/Crypt.ZPACK.Gen (Antivir).

The trojan will attempt to download a rogue security program identified as TrojanDownloader:Win32/FakeScanti. The Win32/FakeScanti family of trojans will present themselfs as being genuine anti virus programs but instead are malware and display fake warning of possible virus infections on your system. As a user you will be offered to register and pay for the so-called anti virus software.

The following files are being created:

%Temp%\1.tmp
%System%\ngts.vao

The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.

The trojan can establish a remote connection with the IP 195.78.108.201 on port 80 and retrieve data from hxxp://designfolkov.ru/hules/bb.php?v=200&id=256235564&b=26aprela&tm=2.

The body of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.

Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

The email has the ZIP archive agreement.zip attached, once unpacked the file 28 kB big file agreement.exe is available.

Facebook, or any other company, will never distribute agreements,  software updates and patches or anything else in emails. Our recommendation is to delete the email immediatly because a lot of AV engines do not detect this variant very well at the moment.

Virus Total permlink and MD5: cc632e1dad8775e2bb558a6cd247b94b.

The phishing campaign has the same characteristics of the previous campaign that we have posted:

Facebook account update (part 1)
Facebook account update (part 2)

The message is being sent from the spoofed address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and has various subjects:

Facebook account update
Facebook update tool
New login system

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site contains instructions on how to update your account.

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.

As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.

The campaign is send out with one of the following subjects:

Facebook updated account agreement
new Facebook account agreement
new account agreement

The content of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

Thanks,
The Facebook Team

Confirmation Code #: 3233075834

The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.

Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.

The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host 193.104.27.91. The following URLs are requested:

hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=1&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=2&b=300
hxxp://193.104.27.91/limpopo/bb.php?id=&v=200&tm=3&b=300

Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.

The From address is obviously fake and not related to Facebook in any way. These come in with the subjects:

Facebook Account Update
Facebook Update Tool
new login system

But now we did managed to get a working host where the supposed phishing site was hosted. We have visited htxxp://www.facebook.com.ujtqwaqo.eu/globaldirectory/LoginFacebook.php?ref=xxx&email=xxx@xxx.com and got the login screen.

When filling in dummy login and password we got redirected to the following screen and to our suprise we didn’t found a webform to submit personal details but instead a link to a malware file updatetool.exe.

This malware is known as Gen:Trojan.Heur.Zbot.gq0@cS0Ulyb (BitDefender), PWS:Win32/Zbot.gen!R (Microsoft) or Mal/EncPk-LE (Sophos). As you may know by know, ZBot is a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.

The file %System%\sdra64.exe is created on an infected system. Hidden files are being created: %System%\lowsec\local.ds, %System%\lowsec\user.ds and %System%\lowsec\user.ds.lll all together with a hidden directory %System%\lowsec.

New memory pages created in the address space of the system process(es): %System%\services.exe, %System%\lsass.exe, %System%\svchost.exe, %System%\alg.exe adn %ProgramFiles%\internet explorer\iexplore.exe.

Windows registry modification are also part of the infection and a connection to a remote host will be established: hxxp://193.104.27.42/lcc/ip2.gif and hxxp://193.104.27.42/ip.php.

Virus Total permlink and MD5: 1ccbe2c88bbaeb8a72ca0ef7e5e51738. It is detected by only 17 of the 41 AV engines at Virus Total.

The From address is obviously fake and not related to Facebook in any way. This email in particular was directing users to the phishing site hxxp://www.facebook.com.saxzask.me.uk/globaldirectory/LoginFacebook.php?ref=******&email=info@****.com. Unfourtunalty, this host was already down when visiting so we didn’t had the chance to investigate it further but we’ll keep an eye on new ones.

Some alternative subjects are:

FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)

The body of the email:

Messages from Your Friends on Facebook, March 19, 2009

You have 1 Personal Message:
Video title: “Amanda is dancing on Striptease Dance Party, March 14, 2009! We’re absolutely shocked!”.

Proceed to view full video message:

hxxp://facebook.shared.default.personalid-f58xc9cp8.launchpad.videosshared.com/home.htm?/efsonline/application=3l6mwjxsb1kpema

Message ID: FB-wtq2w9w5ig7z5gf
2009 Facebook community, Message Center.

The URL will lead to the Facebook look-a-like web site where the video is proposed.

From this page on you are required to download the newest Adobe Flash player. The file itself is presented as Flash_Adobe11.exe and is the same malware as in the Comcast High Speed Self Installation Kit malware posted earlier today.

The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex,  %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.

A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 58.65.232.17, server port 80, with one of the following GET requests:

cgi-bin/cmd.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

cgi-bin/options.cgi?user_id=412227526&version_id=12&passphrase=fkjvhsdvlksdhvlsd
&socks=14477&version=125&crc=00000000

Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.