Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a Facebook personal message or a Google acknowledgment message. The text in the e-mail message instructs the recipient to open a .zip attachment to view the message. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID2883, RuleID2883KVR, RuleID2863, RuleID 2883KVR, RuleID3298, RuleID3344KVR, RuleID3370, and RuleID3370KVR) may contain any of the following files:
Facebook message.zip
document.pdf.exe
CV-20100120-112.zip
document.htm .exe
FacebookDOCN122560.zip
FaceBook_Password_Nr32390.zip
FaceBookDOC.exe
FacebookPassword.zip
FacebookP773494.zip
FacebookPassword.exe
document.exe
Facebook_Document_Id0454.zip
Facebook_Document.exe
Facebook_details_ID91323.zip
Facebook_details.exe
Facebook_details_ID97426.zip
Facebook_Password_No.90484.zip
Facebook_Password_N11711.zip
Facebook_Password.exe
Attached_SecurityCode83872.zip
Attached_SecurityCode53301.zip
Attached_SecurityCode48413.zip
Attached_SecurityCode05019.zip
Attached_SecurityCode74330.zip
Attached_SecurityCode55704.zip
Attached_SecurityCode_68067.zip
Attached_SecurityCode_98765.zip
Attached_SecurityCode_59027.zip
Attached_SecurityCode.exe
The document.pdf.exe file has a file size of 292,872 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xF75FC2964819F16634EABFFAEE6A8076
The document.htm .exe file has a file size of 286,720 bytes. The MD5 checksum is the following string: 0x5EAFA8EC6993AD3E3B495C19BD794DC8
The FaceBookDOC.exe file has a file size of 31,232 bytes. The MD5 checksum is the following string: 0xE2C82F96A05DFAC2B9DB3E0C3D03267A
Another variant of the FaceBookDOC.exe file has a file size of 32,768 bytes. The MD5 checksum is the following string: 0x1A12DC605DBCECB119B53D1D896693AB
The FacebookPassword.exe file has a file size of 317,440 bytes. The MD5 checksum is the following string: 0xF11503318BE5A524C8C0E763DE7D9CEE
The document.exe file has a file size of 403,968 bytes. The MD5 checksum is the following string: 0xC1A5BA03F0BA9832CC87180A4C4622A5
The Facebook_Document.exe file has a file size of 21,504 bytes. The MD5 checksum is the following string: 0x56D157C2EFCC68965E22F03185EAB88F
The Facebook_details.exe file has a file size of 27,136 bytes. The MD5 checksum is the following string: 0xF0E7A8C264FE14562CA8AC98ABB35840
Another variant of theFacebook_details.exe file has a file size of 25,088 bytes. The MD5 checksum is the following string: 0x4D27C3A3300CFD41E4371D5CA5D34BC0
The Facebook_Password.exe file has a file size of 23,552 bytes. The MD5 checksum is the following string: 0xA90741022A55BA83C2DD218E6B546AF1
Another variant of the Facebook_Password.exe file has a file size of 27,648 bytes. The MD5 checksum is the following string: 0xB98D72ACA31E77BE2FDACD68F762F902
A third variant of the Facebook_Password.exe file has a file size of 26,112 bytes. The MD5 checksum is the following string: 0xBF821CC47A04A0D4026784CF9348DE9B
Another variant of the FacebookPassword.exe file has a file size of 30,808 bytes. The MD5 checksum is the following string: 0x742B92D12BC5DC03DE1F40057DB7E107
The Attached_SecurityCode.exe file has a file size of 29,696 bytes. The MD5 checksum is the following string:
0xA3CC5DB1612B34F8922CBA4FC0144824
Another variant of the Attached_SecurityCode.exe file has a file size of 29,696 bytes. The MD5 checksum is the following string: 0x15F5B044A3248B4457D67EBF90EC68E6
A third variant of the Attached_SecurityCode.exe file has a file size of 35,840 bytes. The MD5 checksum is the following string: 0x6E5CF82CD1E1BBBEF2867730566CEB1E
A fourth variant of the Attached_SecurityCode.exe file has a file size of 35,840 bytes. The MD5 checksum is the following string: 0x406844DCFB6628E40BB721717B629B61
A fifth variant of the Attached_SecurityCode.exe file has a file size of 51,712 bytes. The MD5 checksum is the following string: 0x8B6695DC5255418498A090C510F39346
A sixth variant of the Attached_SecurityCode.exe file has a file size of 30,720 bytes. The MD5 checksum is the following string: 0xB03B4B68F83A5A254BC78BA07CBB52AA
A seventh variant of the Attached_SecurityCode.exe file has a file size of 33,280 bytes. The MD5 checksum is the following string: 0xB7B1DA172E0C27B0C1EADCCEDAF00B69
An eigth variant of the Attached_SecurityCode.exe file has a file size of 53,760 bytes. The MD5 checksum is the following string: 0xD182738913D0C2BFC375319C522538FD
A nineth variant of the Attached_SecurityCode.exe file has a file size of 87,040 bytes. The MD5 checksum is the following string: 0x5694907FF1A3FBCEDE37B42A2355B13E
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: You have got a new message on Facebook!
facebook
Hi,
You have got a personal message on Facebook from your friend.
To read it please check the attachment.
Thanks,
The Facebook Team
Or
Subject: Thank you from Google!
Message Body:
________________________________________
We just received your resume and would like to thank you for your interest in
working at Google. This email confirms that your application has been submitted
for an open position.
Our staffing team will carefully assess your qualifications for the role(s) you
selected and others that may be a fit. Should there be a suitable match, we
will be sure to get in touch with you.
Click on the attached file to review your submitted application.
Have fun and thanks again for applying to Google!
Google Staffing
Or
Subject: Facebook Password Reset Confirmation
Message Body:
Hi,
You have requested a new password.
You can see your new password in attached file.
Please pay attention to the fact that this email has been sent to all contact emails associated with your profile. If you did not request a new password, it seems that another person has mistakenly tried to log in with the help of your login.
For more information, check our Help Center at hxxp://www.facebook.com/help/?topic=login
Thank you for attention,
The Facebook Management
Or
Subject: Facebook password has been changed ID215
Message Body:
US banking system'open to abuse''stressed' Jean goes to hospital
Or
Subject: Facebook Service. Your login and password have been stolen! ID54237
Message Body:
A Spam is sent from your FaceBook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.
Please do not reply to this email, it's automatic mail notification!
Thank you.
FaceBook Service.
Andy takes everything as a matter of course, went on Jack. No sort of animal seems to frighten him. If he should happen to meet a dinotherium, such as used to live ages ago, hed shoot it first, and wonder about it afterward. One evening, after a hard days work, when they were all seated in the big living-room of Professor Hendersons home, discussing the progress they were making, Jack suddenly held up his hand for silence. It does look suspicious, admitted Jack. Do you suppose the man you spoke of, Mr. Roumann, who you thought might try to discover your secret, has traced you here, and is endeavoring to steal it? No, I hardly think so. I took good care to conceal my movements, and not even my closest friends know that I am here with Professor Henderson, making a projectile, the trip of which will astonish the world. No, I think this must be some other person. No, you just stay here, decided Mr. Henderson.
The malware associated with this threat outbreak appears to be a trojan that belongs to the Win32/VBInject.gen!BP family. This trojan may modify the system registry and filesystem. This trojan could also attempt to download and install additional malware on the system.
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks. Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
