placement for flash
Home > All Blogs > CSRT Blog
8/24/2008 4:12:00 PM

A new variant of the Facebook worm hits again

by Bahaa Naamneh

Two weeks after its first appearance, a new variant of the recent Facebook worm is spreading again. The worm propagates by sending out links of alleged video clips on what looks like a YouTube page to all the friends in the victim’s facebook account.  Following the spammed link will end up infecting your system with the worm.

The fake YouTube page of the video is designed in a way that makes it look as if it was uploaded by the person who sent the message.

Once this worm is run, it contacts a server in order to receive the content of the messages to be sent. The server supplies the worm with the subject of the spammed message, the body of the message, and links with obfuscated URLs pointing to the fake YouTube website.

The sent messages attemp to entice users into clicking on the spammed link using sentences such as:
• “Your ass looks not bad in this video”
• “Who and when made this video of you?!!!”
• “Nudity makes you beautiful. Who made this video?You look disgusting this video!”

The link leads to a fake YouTube page which then requires an update for the user’s Flash player in order to watch the video. Clicking on the button will end up downloading an executable that if executed, will infect  the victim’s system with the worm. According to VirusTotal, only 11 out of 36 antivirus products detect this variant of the worm.

The following are the symptoms of infection:
1. The worm copies itself as: c:\windows\fbtre9.exe
2. It also creates the following file: c:\windows\fmark2.dat
3. It creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"sysftray2" = "c:\windows\fbtre9.exe"
4. This worm also deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

Currently rated 5.0 by 8 people

  • Currently 5/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags: , ,

Web-based Trojans

emailEmail   Digg thisDigg this   del.icio.usdel.icio.us   Slashdot It!Slashdot It!
Permalink | Comments (10)

Comments

8/25/2008

What are the symptoms of an infection?

Gerard Gharios

8/26/2008

Hi!!!

One of my friend on facebook send me this message!!
Of course, before read this article, i have open the link, but nothing happened, the fake page didn't open, "the page was not find" so, do i am infected by the worm???

please answer to me
thank you

lagalec

8/26/2008

A friend had it named sbtre9.exe instead of fbtre9.exe.

Billy Foss

8/26/2008

The new variant I have analyzed uses a predefined file name which is fbtre9.exe; it seems to me that your friend has been infected with a slightly modified variant of the same worm.

Bahaa Naamneh
eSafe CSRT

Bahaa Naamneh

8/27/2008

I too tried to open it but the page didnt work/load properly so does this mean I'm infected? My facebook wont work properly now either, any ideas?

K

8/27/2008

Solution:

Reboot in safe-mode (press f8 during computer boot). Then, use the "search" option in the start menu to locate the items. Then deleate the files. Make sure you get all of them. If they do not appear during the search, then they may not be on your computer. Also, search for:

C:\WINDOWS\system32\690974
C:\WINDOWS\fbtre9.exe
ALCMTR.exe
(also, search and deleate the two files listed above, that is
c:\windows\fbtre9.exe
c:\windows\fmark2.dat
)

After deleting them, as and extra precaution, go into your recycle bin and delelte them again.
Now, reboot in mormal mode, and search for the files. You should not be able to find any of them. If you cannot, they have been successfully deleated.

Robert

8/27/2008

If you clicked the link at all, you probably have been infected. The web page did not load for me, but I was infected. I've dicovered the file, but it says that i do not have the rights to access it. Any clues on how to delete it?

Robert

9/1/2008

hi i think i have this worm, i to had a message in my inbox i clicked onto the link and tryed to download what it asked me now my computer has a mind of its own.
can you please let me know how to remove this thanks

leanne

9/18/2008

PLEEEEEEASE can someone help me??
I was silly enough to click on one of these messages and went to download the flash media thing. Now my password has been changed and I have no idea how to get into Facebook. Also when I click the button that says "forgotten password" that is meant to send an email to you stating how do a new one, the email doesnt come through as the virus/ hijacker has also managed to redirect my facebook emails elsewhere!! I have let Facebook know but I have no idea how long it will take to fix or for them even to get back to me Frown I am well and truelly buggered I think unless anyone knows how to help me.

Sarah

10/7/2008

Robert,
I was only able to find one of the files "fmark2.dat" does it mean that my system is still infected. Also, how do you check for the registry changes and change them back?

Thank you in advance,

Vadim



Add comment



 






Note: Comments are reviewed before posting and offensive and inappropriate content and language will not be published.
 
© Aladdin Knowledge Systems, Inc. 1985-2008. All rights reserved.