Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a password reset notification for the recipient's Facebook account. The text in the e-mail message attempts to convince the recipient to open a .zip attachment to view the new password and additional details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
E-mail messages that are related to this threat (RuleID3328, RuleID3328KVR, RuleID3337, and RuleID3339) may contain the following files:
New_Password_IN43957.zip
New_Password_IN92971.zip
New_Password_IN01842.zip
New_Password.exe
Facebook_Password_INM.050.zip
Facebook_Password.exe
Password_details_FN18813.zip
Password_details.exe
The New_Password.exe file in the New_Password_IN43957.zip attachment has a file size of 26,276 bytes.
Another variant of the New_Password.exe file in the New_Password_IN92971.zip attachment has a file size of 32,336 bytes. The MD5 checksum is the following string: 0x2D7A38E2785E4455C7B1FDA5B647D6C2
A third variant of the New_Password.exe file in the New_Password_IN01842.zip attachment has a file size of 112,640 bytes. The MD5 checksum is the following string: 0x0FAC892946C333603B7398B24D81DCA5
The Facebook_Password.exe file in the Facebook_Password_INM.050.zip attachment has a file size of 108,032 bytes. The MD5 checksum is the following string: 0x8841C20833F9F05124BAADB17E1A5359
The Password_details.exe file in the Password_details_FN18813.zip attachment has a file size of 113,232 bytes. The MD5 checksum is the following string: 0xDFC803F04D945E9F768DB847CBD71F78
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Facebook Support. Personal data has been changed! ID77838
Message Body:
Dear user of FaceBook.
Your password is not safe!
To secure your account the password has been changed automatically.
Attached document contains a new password to your account and detailed information about new security measures.
Thank you for your attention,
Administration of Facebook.
And when they had worn out their horses, so that they could not stir a leg, they were all forced to give it up as a bad job.So the king thought he might as well proclaim that the riding should take place the day after for the last time, just to give them one chance more; but all at once it came across his mind that he might as well wait a little longer, to see if the knight in brass mail would come this day too. Well! they saw nothing of him; but all at once came one riding on a steed, far, far, braver and finer than that on which the knight in brass had ridden, and he had silver mail, and a silver saddle and bridle, all so bright that the sun-beams gleamed and glanced from them far away.
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks. Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
