The email is send from the spoofed addresses:
account@facebook.com
manager@facebook.com
The message has the following body:
Dear user of FaceBook.The attached ZIP file has the name New_Password_IN04393.zip, note that the number at the end will change, and contains the 33 kB large file New_Password.exe.
Your password is not safe!
To secure your account the password has been changed automatically.
Attached document contains a new password to your account and detailed information about new security measures.
Thank you for your attention,
Your Facebook
The trojan is known as Gen:Heur.VIZ.2 (BitDefender), Mal/FakeAV-JX (Sophos), Trojan.Generic.Bredolab-2 (ClamAV).
The following files will be created:
%System%\document.doc
Several Windows registry changes will be exectued and the trojan can establish connection with the IP 193.106.34.20 on port 80.
Data can be obtained from following URLs:
- hxxp://profmiale.ru/TGQW4nHJOS/document.doc
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=8
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=9
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=uploader
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=grabbers
- hxxp://profmiale.ru/TGQW4nHJOS/grabbers.php
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=0
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=1
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=2
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=3
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=4
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=5
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=6
- hxxp://profmiale.ru/TGQW4nHJOS/load.php?file=7
Virus Total permalink and MD5: ecc2d442886b7296b5bd7eaeaae0bcea.
[ComputerSecurityArticles]
No comments:
Post a Comment