Facebook Spammer.

Today I received mail claiming it has been sent from facebook as below.

************************************************
From: xxxxxxxxxxxxxxxxx
To: xxxxxxxxxxxxxxxxxx
Subject: Facebook Support. A new password has been changed. ID4696
Date: Friday, January 28, 2011 3:36 PM

Dear user of FaceBook.

A Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to
the letter.
Read this information thoroughly and change the password to
complicated one.

Please do not reply to this email, it’s automatic mail notification!

Thank you.
FaceBook Service.

************************************************

As seen from the image, mail also contained an attachment as below.
Facebook_details_ID36227.zip

We found that the mail was spam send by worm.

It downloads following components from below URLs
hxxp://[xxxxxxxxxxxxxx]/forum/document.doc
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=0
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=1
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=2
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=3
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=8
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=0&luck=1
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=1&luck=1
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=4
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=5
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=6
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=9
hxxp://[xxxxxxxxxxxxxx]/forum/load.php?file=7

Quick Heal detects worm as “Worm.Bamital.j”

We recommend all Quick Heal users to update their AVs and not to respond any of such mails.

Vishal Dodke

Vishal Dodke


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image