The Security Researachers at CSIS spotted a new Worm that spreads via Facebook. This Worm uses Compromised accounts to send malicious links to victims' friends. If they follow the malicious link, The worm infects the victim's system with Zeus Bot(Banking Trojan).
The malicious links generated by the worm pose as links to a photo file posted by the account-holder's friend or online acquaintance.According to the researcher report, the code is developed in Visual Basic 6.0 and contains numerous anti-VM tricks directed against VMware, Sandboxie, Virtual Box, etc.
The malicious code download a trojan from this location:
hxxp://www.offi sense.co.il / lang / b.exe
The malware attempts to copy itself in the victim system as:
c: users [% user profile%] m-1-52-5782-8752-5245winsvc.exe
The worm carries a cocktail of malware onto your machine, including a Zbot / ZeuS variant which is a serious threat and stealing sensitive information from the infected machine.
The worm has already captured a large number of domains from which it spreads active :
hxxp://www.vinam ost.net
hxxp://www.ferry. coza
hxxp://www.maxim ilian-adam.com
hxxp://www.bacol odhouseandlot.com /
hxxp://www.servi ceuwant.com
hxxp://www.centr alimoveisbonitoms.com.br
hxxp://www.werea d.in.th
hxxp://www.villa matildabb.com
hxxp://www.fiona gh-Bennett-music.co.uk
hxxp://www.uksei katsu.com
hxxp://www.bzoe- salzkammergut.at
hxxp://www.delic escolres.com
hxxp://www.dekie viten.nl
The different compromised servers also serves another purpose. They collect data about the infected machines, while simultaneously offering the additional malware. Content from a server might look as follows:
Index of / images
Parent Directory
GeoIP.dat
PIC96477.JPG.scr
b.exe
count.txt
f.exe
geoip.inc
images.php
util.php
The many malicious domains are of course already blocked in the CSIS Secure DNS.