Bredolab masked as Facebook Password Reset Confirmation


MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <service@facebook.com>” but the real SMTP from address is spoofed.

The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.

The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.

The body of the email:

Hey vguysville ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).

This Bredolab variant will create the files:

%AppData%\wiaservg.log
%Windir%\temp\wpv861256600826.exe
%Programs%\Startup\isqsys32.exe

It will also create the process isqsys32.exe and svchost.exe. The dll %Windir%\dsqstm6.dll is being loaded into the address space of Internet Explorer combined with several Windows registry edits.

It will attempt to connect with the remote hosts on port 80: 202.39.17.53 0, 217.23.7.162 and 95.211.27.211.

The data identified by the following URL was then requested from the remote web server:

hxxp://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045
hxxp://hostvegass.ru/cman/receiver/online
hxxp://wapdodoit.ru/mn/base.cfg
hxxp://www.whatsmyipaddress.com

Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.

[Update – 02/11/2009  5:30 PM local Belgian time]

New subject is being used:

Facebook Password Reset Confirmation. Help Centre.

Virus Total permlink and MD5: f69849928111bf764e3b1a0b39b684b7.

19 thoughts on “Bredolab masked as Facebook Password Reset Confirmation

  1. Thanks . . .

    It hit Earthlink servers Oct 29th with the apparent return address:
    “The Facebook Team”

  2. Thank you for your efforts and deligence. As a member of the medical community, it is important that our computers remain stable. You are doiung a great service. Stay well, and be safe. Dr Hanson

  3. recv’d this 2 or 4 times but never opened it….I knew I didn’t request my password be changed so I ignored it!!!!!! thanks for the quick word on it being a bogus….

  4. I oppened the mail n downloaded a link n virus has hit my comp….ny solution?? my AVG anti virus is helpless😦

  5. G’day guys,

    very good information! I got this emails as well but it didn’t hit me

    a) I wasn’t download the link
    b) I’m not working under Windows
    c) My boss have the admin rights so I have to ask before I get permission for download
    anything – it’s sometimes a bit stressful to ask but it protect my computer

    It’s very helpful to get your notification, so I can give the warning to my friends which are working under Windows, thank you for keep me informed.

    You’re doing a petty good job guys! Cheers,
    Sue

  6. Hi, I received this 17 march and for the first time in 10 years computing was silly enough to open and get infected. Luckily was directed to bleepingcomputer and got a fix. Thankfully was quickly cleansed.
    This infection removed my anti-virus.

  7. It seem that we can expect this trojan to be in rage again.
    DNS record of the site wapdodoit.ru got yesterdays about 200 of A records – most of them are probably hacked sites. TTL of the DNS record is 300 seconds, which means if one site is taken down in 10 minutes you will get address of another site.

    What is behind this? Is this just improving the availability of bulletproof hosting?
    Or is this something like “Stealing of data as Service” ?
    Mik

Comments are closed.