Rogue Facebook Emails Spread Oficla Trojan

Internet security firm, MAX Lab, has warned that a new campaign of malignant emails masquerading as password change notification from Facebook is spreading a variant of the Oficla Trojan.

The fake emails are sent from the fake address of "Your Facebook <information@facebook.com>" which flashes a subject line - "Your facebook password has been changed."

The news published on MX Lab blog site on September 15, 2010 stated that the email reads - dear Facebook user, owing to the measures adopted to provide safety to the clients, a password has been changed. The message is followed by - the user can find his new password in the attached document. Thanks, Facebook.

According to the reports, the email accompanies an attached file. The message deceives the user to open the file. The attached ZIP file comes with the name Facebook_document.zip and it comprises 36 kB large file, Facebook_document.exe. After execution, it infects the PC with single or possibly, multiple infections.

The Trojan is also known as Trojan.Win32.Oficla.lh (Kaspersky), Troj/Mdrop-CWY (Sophos), Win32/Oficla.II (NOD), and Win32:Trojan-gen (Avast).

To ensure that the Trojan starts itself each time the computer is rebooted, it adds on to the "Shell" value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

In addition, it is important to note that Oficla Trojan is associated with pay-per-install (PPI) operations under which other cybercriminals can easily distribute their scareware or malware by paying money to the Trojan's authors. Hence, users who fall prey to this threat most likely to end up having multiple infections on their systems.

Furthermore, there are high chances that the users will come across huge number of deceptive security alerts which will instruct them to purchase a license to install the fake program.

Fortunately, Oficla variant can be easily detected with the help of signature based antivirus solutions that show good performance against it, with 34 out of 43 antivirus engines detecting it as malicious.

Meanwhile, Symantec has recently stated in its report that there has been a four fold increase in spam emails containing malignant ZIP attachments over the last few months. Oficla and ZBot distribution campaigns were the primary reasons for such the spike.

Therefore, users are firmly advised to keep an updated security software in their PCs and treat emails' attachments with extra caution, even if they happen to appear as if originating from trusted sources.

Related article: RSA Attendees Responsible for Wireless Vulnerability

» SPAMfighter News - 9/29/2010