Fake Facebook email regarding shared photos and updates contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your friend wants to share photos and updates with you”.

The email is send from the spoofed address “Facebook <notification+khkh-yv-kif_@facebookmail.com>”, “Facebook <invite+FDIQ5RX8YG7QKGU1YMQJMKII1B820@facebookmail.com>” or something similar and has the following body:

One of your friends wants to share photos and updates with you.

View attached file with new photos and updates

One of your friends has invited you to Facebook. After you sign up, you’ll be able to stay connected with friends by sharing photos and videos, posting status updates, sending messages and more.

The email also tries to mimic the Facebook book layout to make it look more genuine.

The attached ZIP file has the name Your_Friend_New_photos-updates_id876011626.zip (number will change) and contains the 60 kB large file Your_Friend_New_Photos-and-Updates.jpeg.exe.

The trojan is known as BackDoor.Andromeda.22, Troj/Zbot-CMV, WORM_GAMARUE.CI, W32/Falab.J.gen!Eldorado.

At the time of writing, 13 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: c794d3d4e15807d720c7c3da8ff474f78ed3152bfb6272e3c3e7ebc3e62ed6d7.