MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the message that your facebook account has been blocked because of spam that was sent from your account. The email indicates that the password of your account has been reset and that you should open the attached document with your new password.
Following subjects are possible – or similar:
Facebook Service. Your password has been changed. ID309
Facebook Service.Your acciunt is blocked. ID799
Facebook Support. Your password has been changed. ID991
Facebook Support. A new password is sent to you. 920
The email is send from the spoofed address “Facebook office <email@example.com>” – note that the from before the @ changes with each email – and has the following body:
This is a post notification!
A spam is sent from your Facebook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.
Thank you for your attention,
The attachedZIP file has the name Facebook_document_Nr59469.zip and contains the folder Facebook_document with inside the 60 kB large file Facebook_document.exe.
The trojan is known as Trojan.Win32.Oficla (Ikarus), W32/Trojan3.CIG (F-Prot), Trojan:Win32/Oficla.AE (Microsoft), Trojan.Sasfis (Symantec).
The following files will be created:
Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs on port 80:
Data can be obtained from following URLs:
Virus Total permlink and MD5: 16e7189085f1135d0ee38b56928811be.