Facebook updated account agreement email contains Sasfis trojan

Apparently, the virus campaigns are far from over. MX Lab reported on this blog regarding the latest virus campaign that would be an attempt to grow the Cutwail botnet by infecting new computer systems by launching new trojan variants every few days.

MX Lab now intercepts a new Facebook virus campaign from the spoofed address <automailer+gtevzolc@facebook.com> or similar.

The campaign is send out with one of the following subjects:

Facebook updated account agreement
new Facebook account agreement
new account agreement

The content of the email:

Dear Facebook user,

Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.

Please unzip the attached file and run “agreement.exe” by double-clicking it.

The Facebook Team

Confirmation Code #: 3233075834

The email contains the ZIP archive agreement.zip with the 20 kB big executable agreement.exe inside. This trojan is known as Trojan.Sasfis.A (BitDefender), W32/Sasfis.E (F-Prot) or Trojan:Win32/Oficla.E (Microsoft).

MX Lab submitted the sample to Virus Total at 2009.11.07 00:03:35 UTC and 21 of the 41 AV engines did detect the trojan. The first sample was submitted at 2009.11.06 09:24:44 UTC. So this means that after more than 2 hours 52% of the AV engines can intercept this piece of malware.

Please do remember that Facebook, or any other company, will not communicate in any way like this. Companies like Facebook will not send attachments to update your profile, agreement or anything else.

The trojan will create the files %Temp%\1.tmp and %System%\ifmq.kqo, modify the Windows registry and will try to connect to the remote host The following URLs are requested:


Virus Total link and MD5: c175b5afc8bb7a7f716ccf3829412ff1.

7 thoughts on “Facebook updated account agreement email contains Sasfis trojan

  1. I have been infected by this virus in exactly the way described. I received 100s of spoof emails supposedly from Facebook and in a moment of weakness decided top open one. BitDEfender identified the virus but has not been able to disinfect or quarantine the file so has blocked the file: ifmq.kqo. At this stage I am uncertain of the implications of this. It is causing some problems logging into the internet.

Comments are closed.