Another Facebook spam mail pretending that your password is not safe, currently circulating on Internet.
The subject is: FaceFacebook Support. Personal data has been changed!ID55733.
The email comes with an attachment called New_Password_IN33494.zip.
The zip file (New_Password_IN33494.zip) contain New_Password.exe file, Quick Heal detects this file as a “Trojan.Menti.gen”.
New_Password.exe tries to fool the victim as it seems a Microsoft Word Document. You should never trust a file by its icon, always pay attention to the file extension. Also make sure that Windows Explorer is set to show file extensions option.
On execution New_Password.exe writes into the memory space of svchost.exe, deletes itself and downloads a file called document.doc from the domain profmiale. ru which is then saved to the desktop.This file conatins a username and password.
While the victim is looking at these new login credentials, another binary is get downloaded from profmiale. ru and saved to the %temp% folder as 1.tmp. Once 1.tmp is executed, the computer immediately reboots.
Thanks Mahesh Mane for the detail Analysis.