Email with new password from Facebook Support contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your account. The email indicates that the password of your account has been reset and that you should open the attached document with your new password.

Following subjects are possible – or similar:

Facebook Service. Your password has been changed. ID309
Facebook Service.Your acciunt is blocked. ID799
Facebook Support. Your password has been changed. ID991
Facebook Support. A new password is sent  to you. 920

The email is send from the spoofed address “Facebook office <donotreply.nr.6170@facebook.com>” – note that the from before the @ changes with each email – and has the following body:

This is a post notification!

A spam is sent from your Facebook account.
Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Thank you for your attention,
Facebook Service.

The attachedZIP file has the name Facebook_document_Nr59469.zip and contains the folder Facebook_document with inside the 60 kB large file Facebook_document.exe.

The trojan is known as Trojan.Win32.Oficla (Ikarus), W32/Trojan3.CIG (F-Prot), Trojan:Win32/Oficla.AE (Microsoft), Trojan.Sasfis (Symantec).

The following files will be created:

%Temp%\1.tmp
%System%\ttux.qqo
%Temp%\2.tmp

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:

85.195.104.161
91.204.48.46

Data can be obtained from following URLs:

* http://pupmypzed.ru/alimp/bb.php?v=200&id=738176302&b=1711_fa&tm=1
* http://pupmypzed.ru/alimp/bb.php?v=200&id=738176302&tid=4&b=1711_fa&r=1&tm=1
* http://91.204.48.46/test/dot.exe

Virus Total permlink and MD5: 16e7189085f1135d0ee38b56928811be.

2 thoughts on “Email with new password from Facebook Support contains trojan

  1. oh yeah this is so true and i got a email too.And boy i aint no noob when it comes to net stuff and all.so knew it was a virus.

    BUT ONE THING I NOTICED THAT I RECIEVED EMAILS TO REDIFFMAIL ACCOUNT ONLY AND NOT GMAIL OR YAHOO ACCOUNT.

    So you know …………………………………….

Comments are closed.