Fake Facebook e-mail contains Trojan

A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.

Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address displays "service@facebook.com." In reality, the address and sender were spoofed.

MX Labs found that the e-mail was accompanied by an attachment named, "Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe" that, the e-mail claims, contains the user's new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.

When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab "executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions)." In other words, it's nasty.

Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files. MX Labs said that it also creates two new processes, called "isqsys32.exe" and "svchost.exe."

Another security watchdog, M86 Security, wrote that there's more to the outbreak than Bredolab. After it sneaks its way onto the user's computer, M86 said, Bredolab downloads a bot called Pushdo. The company found that Pushdo immediately starts "spamming out more of these Facebook password reset e-mails."

For its part, Facebook was quick to point out that the e-mail containing the virus wasn't coming from the social network.

"This virus is being distributed through email, not on Facebook," a Facebook spokesperson wrote. "The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page."

Facebook said that users should be "suspicious of unexpected emails claiming to be from Facebook." The company also said that it will never send users a new password as an attachment.

Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET's Download database.

Updated at 1:03 p.m. PDT to include new details from M86 Security.

[Stefaninafla]

Yep, had that come to my work email that isn't even used with Facebook. The junk filter caught it, and I deleted it without opening. You know, like a smart person should.

[WinNoMo]

I got that email and clicked on it. Nothing happened.

[WinNoMo]

How do I know if my computer is infected?

[shiningdevil]

i see wut u did thar

[WinNoMo]

I am really very worried! I am never going to be at peace until I know for sure! How can I tell if my computer has been infected by this malicious code?

[jake3373]

Nothing happening usually means that the virus is doing what it meant to do. Look for the folders and files in the article that the virus creates. Try running Malwarebytes (from download.com) to remove the infection if it exists.

[Vegaman_Dan]

@jake3373:

WinNoMo is one of our resident Apple fans who is trying to openly mock and ridicule people who use Windows. In the end, they only end up making a mockery of themselves with such attempts.

[rmullen0]

Sounds like your hosed. I hope you made a backup.

[exactlyy]

thats just too dumb dude..i mean how could you belive that your password has been sent to you in an attachment ?
clicking on that attachment and as you said , nothing happend means you've got the viruse .
the best way i see for you to get rid of this is to start up your computer in safe mode.. and scan your system .
but this could take sometime, i'd just reformat my pc .

[denz_denz]

maybe not now.....

[WinNoMo]

I tried downloading Malwarebytes, but I could only find a Windows version? Why don't they make a Mac version? Oh my! I am so worried!

[baconstang]

Well, until your Mac can figure out how to run an 'exe.' file, you should be fine. Unless you were running Windows on your Mac for some reason.

[TF_kj]

The MX Logic analysis is good, could use an update. It's delivering Bredolab, Zbot, adware, etc:
http://blog.threatfire.com/2009/10/facebook-password-reset-confirmation.html

[wratbatblue]

Being victimized by malware that depends on user interaction to do its thing, at this stage, is what I'd call Data Darwinism, the thinning of the herd by culling the weakest.

[krosafcheg]

@wratbatblue
Not really. In most cases their PC remains mostly functional (just merely inconveniencing the infected user), while spewing out spam, viruses and DoS attacks, causing trouble for everyone else on the internet; also causing annoyance for anyone ultimately in charge of fixing that PC for the idiot that opened the attachment. At no point does the PC just drop off the internet or cease to function, that's not profitable for the peddlers of malware.

[Otto Holland]

No legal sites, including banks sends email reset messages to clients. Anyone who open an attachment from an unknown source gets what he deserves. I received one yesterday, but instead of clicking the attachment; I checked the source and it was not from Facebook.

[pentest]

Duh, they prey on the ignorance of Windows users.

It is time to go to licensing to get an internet connection.

[montex66]

Once again, cnet fails to state that this trojan does not affect Macs. Just like all other viruses and malware, Mac OS X is completely safe and secure. Even if you deliberately downloaded the trojan, made 10,000 copies of it and tried to execute them, they wouldn't work at all. Does cnet think they ought to mention that? Just one little sentence? Nope.

Back in the day when the Mac platform was languishing, and Apple was in danger of going out of business, I could understand why cnet felt it was appropriate to ignore it. But now with 25 million users and Apple raking in profits that astound the entire industry, you'd think cnet might show some journalistic integrity and drop a line about this non-threat to Macs.

You'd be mistaken. At the very least when cnet hires a freelance journalist they should run the article by an editor. Just sayin'.

[linuxroadwarrior]

If everyone used Mac, we'd get lot's of Windows spam.

Gee, if they paid attention to MacOSX, they'd have to pay attention to every two cent OS out there.
It's been said before that it's pretty darned hard to make a virus to work on Windows and Mac.

Fanboys fail to realise that there ARE OSX viruses out there. It's just that it's not worth the time to target a small group.
Heck, there is a Linux virus out there. I just don't know where. If you told me where it was, I'd gladly try it. Because I can re-image the drive.

[Vegaman_Dan]

You've got a good point, Montex66. But we should also point out that I can walk right up to any Mac running OS X and withing 30 seconds have full admin rights to the machine, copy any and all data I want, install applications, keyloggers, spyware, etc, all without your knowledge simply by booting into single user mode. It's not hard.

This points out that no OS is perfect, and that OS X has its share of critical issues as well.

[exactlyy]

its proved that hacking into MAC wouldnt take more than 2 minutes .. google that to educate yourself ,
writing a viruse prog. takes a lot of time and as you know MAC got no more than 6% of the market share.. in all its history only 6% :S thats somthing i'd personally be asshamed of . the point if who is the **** that w'd write a viruse to infect 10 millions MAC when he could write the same prog for windows and infect 100 millions .

[WinNoMo]

Same old tired arguments. Speculation. What ifs. Doesn't change reality. No viruses. No virus protection. 14 years.

[baconstang]

I find it very disingenuous to compare physical attacks to online click-throughs. If someone had physical access to my computer, I'd be worried about a lot of other things..... like how did they get in the house.

[Dalkorian]

Montex66, don't be so arrogant. Despite the fact this particular trojan is written to exploit winblows, it's still a trojan. No OS is proof against the user installing programs, none. That includes our favored OS X. It might have difficulty acting like a virus after installation (but then again, it might not), but it could be done. Nothing is impossible.

To all the M$ apologists who cry market share (again and again without thought), explain why OS 9 had hundreds of viruses (actual viruses that didn't require user interaction) and yet even after 8 years and 6 iterations there is yet to be one for OS X (trojans don't count as viruses). I guess Apple is in real trouble, since by your argument OS 9 had an infinitely larger market share than OS X currently has.

To Danny boy here, please tell us what OS you couldn't hack with physical access to the machine and what that has to do with the topic we're discussing. Or did you just want to show off your strawman construction capabilities?

[G-Skaf]

When will people learn to ignore those cheap fake e-mails and that executable attachments are absolutely deadly...?

[ckerr]

I must be internet popular..... I got this message four times at home and six more at work. And none of those emails are attached to my Facebook Account. I feel so loved.
.

[timber2005]

They should have sent it out targeting the whole newsfeed thing.

"If you'd like the old newsfeed back, send us your pw!"

-timber2005 (who is greatly annoyed at all of the "give us the old newsfeed back" groups.

[motrin800]

!! what if i have the process "svchost.exe" running on my pc?? 13 of them actually i never got this facebook E-mail. But i do remember seeing this process before, and i'm running avast right now to see if it finds anything.. but thats the thing if it is something bad shouldn't of Avast found it a long time ago??

i think i'm going to switch AVG, after this.

[atomD21]

The problem is, svchost.exe is usually running several times legitimately on your computer, so by adding another one, it makes it almost impossible to just look at running processes and know which one is bad. Chances are, you're just fine. Avast is a great free antivirus suite. If it hasn't found anything, chances are you're all set, but I would get Malware Bytes Anti-malware from download.com to be sure.

[motrin800]

i see... when i tried ending the processes eather i would loose sound or visualZ's.. then i went to check who has control of the process its not me 'trusted host' it wud say. ;but thanks i will give that try.

[Dalkorian]

Relax Motrin, if you didn't get the email chances are you're not infected by this trojan (remember the old joke, "sex is hereditary, if your parents didn't have it chances are you won't either"). It's a trojan after all, something you have to run on your machine. If you didn't run it, you're not infected by it. Period.

As Atom mentioned, it's common to have multiple "svchost.exe" processes running in winblows. It's a legitimate process, which is what makes this trojan so nasty - code injection. But again, if you didn't install it ...

If you're really paranoid (maybe your kid also uses the computer ...), look for the other signs mentioned. Stolen from the article itself:

"Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files."

Lastly, remember the nature of AV programs like Avast or AVG - the malware in question has to be known by the AV community first. How do they know about malware, do you think the black hat guys have meetings with the AV guys or something? No, first the malware has to hit one of their "honey pot" machines, PC's set up specifically to be easy to infect so they can analyze the malware in question and write the AV signature needed to identify it. What this means is it's impossible to perfectly protect you against all malware because the malware has to be written and released into the wild first, the protection comes later. It's erroneous to think that just because Avast hasn't caught it yet, AVG would.

[motrin800]

@ Dalkorian great detailed response thanks. And also i em, the the kid who uses the computer and the only one who uses this pc. thats why i was alarmed when i saw svchost.ex because i'm not a dumb kid. I already went though my Lab rat 98 a while back and learned alot from it including trojans.

[corelogik]

Got this email this morning. Sent to a user name that doesn't exist on Facebook but which I have an email address for. Caught and quarantined by AVG 8.5, no harm done.

[mahnoor_khan99]

i have lot of fun here

[Harrison912]

I mainly use FaceBook to socially market my safety and security web site. Thanks, Don, for this information,

[deenewthis]

this mac guy knows nothing about comps i see if he thinks that macs don't get virus. what a joke and oh they do make virus scanners for mac

[paramedicalgirl]

hi

[paramedicalgirl]

how can i send pics over to face book from my email acct>?

[tech_kid]

omg, heres a tip... use antivirus, all you gotta do is download/buy a antivirus program then your fine. What i aprove of is Norton, McAfee, and AVG... AVG has a free version.

[don4preeda]

Do not be fooled if it appears that nothing has happened. The virus will autosend to all your contacts and anyone that opens it will continue the trend.