Facebook users are once again under attack. A new variant of Bredolab Trojan is spreading through spam email messages appearing to come from Facebook.
The messages pretend to come from the “The Facebook Team”, while the real SMTP from address is in fact spoofed. However, an attached archive file containing an executable file may infect users with a Trojan horse.
The following is an example of the spammed email messages:
|
Subject: Facebook Password Reset Confirmation.
Hey andi ,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
The Facebook Team
|
The attachment may come with the following name:
Facebook_Password_3db40.zip
or
Facebook_Password_[5 random characters].zip
This Bredolab Trojan downloads and executes further malware files on the affected machine such as rogue anti-virus software, and in order to bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe.
