Malware spammed out as “FaceFacebook Support”.

Another Facebook spam mail pretending that your password is not safe, currently circulating on Internet.
The subject is: FaceFacebook Support. Personal data has been changed!ID55733.
The email comes with an attachment called

The zip file ( contain New_Password.exe file, Quick Heal detects this file as a “Trojan.Menti.gen”.
New_Password.exe tries to fool the victim as it seems a Microsoft Word Document. You should never trust a file by its icon, always pay attention to the file extension. Also make sure that Windows Explorer is set to show file extensions option.

On execution New_Password.exe writes into the memory space of svchost.exe, deletes itself and downloads a file called document.doc from the domain profmiale. ru which is then saved to the desktop.This file conatins a username and password.

While the victim is looking at these new login credentials, another binary is get downloaded from profmiale. ru and saved to the %temp% folder as 1.tmp. Once 1.tmp is executed, the computer immediately reboots.

%userprofile%Local SettingsTemp1.tmp

Thanks Mahesh Mane for the detail Analysis.


Ranjeet Menon

Ranjeet Menon

No Comments, Be The First!

Your email address will not be published.