“Spam from your Facebook account” messages contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with tone of the following subjects:

Spam from your account
Spam from your Facebook account
Your password has been changed

The email is from “Facebook Abuse Department” containing a spoofed email address in the format ***@facebook.com, where the part before the @-sign contains different names starting with a capital, and has the following body:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it’s automatic mail notification!

Thank you for using our services.
FaceBook Service.

The attached ZIP file has the name Attached_SecurityCode08592.zip, where the number is choosen randomly, and contains the 33 kB large file Attached_SecurityCode.exe.

The trojan is known as W32/Trojan2.NNGG (Commtouch) and Troj/DwnLdr-IZR (Sophos). This trojan will install itself on the infected computer and has a build in SMTP engine for spreading its payload further by email.

The following files will be created:

%Temp%\_check32.bat
%Windir%\s32.txt
%System%\aspimgr.exe
%System%\document.doc
%Windir%\ws386.ini

Several Windows registry changes will be exectued and the trojan can establish connection with the following IPs:

Remote Host Port Number
148.223.242.243 25
148.244.121.6 25
161.132.8.44 25
174.120.139.92 25
200.157.233.13 25
200.57.129.65 25
200.57.129.66 25
204.200.167.219 25
207.193.205.1 25
216.200.145.36 25
194.247.183.170 80
91.207.178.169 80

Data can be obtained from following URLs:

    • hxxp://cl63amgstart.ru:80/board.php
    • hxxp://campaigncommunications.ru/connect/load.php?file=document
    • hxxp://campaigncommunications.ru/connect/load.php?file=2
    • hxxp://campaigncommunications.ru/connect/load.php?file=3
    • hxxp://campaigncommunications.ru/connect/load.php?file=4
    • hxxp://campaigncommunications.ru/connect/load.php?file=5
    • hxxp://campaigncommunications.ru/connect/load.php?file=6
    • hxxp://campaigncommunications.ru/connect/load.php?file=7
    • hxxp://campaigncommunications.ru/connect/load.php?file=8
    • hxxp://campaigncommunications.ru/connect/load.php?file=9
    • hxxp://campaigncommunications.ru/connect/load.php?file=uploader
    • hxxp://campaigncommunications.ru/connect/load.php?file=0
    • hxxp://campaigncommunications.ru/connect/load.php?file=0&luck=1
    • hxxp://campaigncommunications.ru/connect/load.php?file=1
    • hxxp://campaigncommunications.ru/connect/load.php?file=1&luck=1

At the time of writing, only 2 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 72a45688ba03a9bfd3b3755c33843dcd.

3 thoughts on ““Spam from your Facebook account” messages contains trojan

  1. i think that probably you feel that it was a virus in my facebook but it wasn´t that, it was me sending daily mail´s to a people who lives around here and it can be like a promotional menu of my little restaurant.
    that´s why a beg you, to please return my account to send this kind off messages.please

    please i need an answer from you guys.

  2. i cant log in my facebook. I think it may be spam.i have add strange person so now am asking great apologiz.i cant leave with out facebook,my all friends.

Comments are closed.