Infection Channel: Propagates via social networking sites
This malware spreads via the Facebook chat feature. It entices users to click a link by saying that it leads to an execution video of Osama bin Laden.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This malicious JavaScript sends an instant message to an affected user's online friends. It also posts a message on the affected user's Facebook Wall. It entices users to click the link contained in posted messages by using the news of Osama bin Laden's death.
File size: 10,717 bytes
File type: JS
Initial samples received date: 03 May 2011
Payload: Displays message/message boxes
Arrival Details
This Trojan may be downloaded from the following remote sites:
- http://{BLOCKED}0.85.172/bl.js
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}ount.info/end.php
NOTES:
This malicious JavaScript is part of a Facebook spam campaign that spreads via the said website's chat feature. The said spam campaign uses the news of Osama bin Laden's death.
It sends the following chat message to affected user's online friends:
- "See the Osama Bin Laden EXECUTION Video! http://{BLOCKED}p.com/805u7p? "
Posts the following message onto the affected user's status update:
This will leave you speechless
Osama Bin Laden EXECUTION Video!
http://{BLOCKED}ly.ws/e4lqeg?
Navy Seals raid Bin Ladens hideout and execute him!
http://{BLOCKED}dssz.co.cc/laden.png
It registers the user to be a fan of the MW GIVEAWAY MW GIft page. It also hides chat boxes from the user's window.
The following sites are shortened URLs that also point to http://{BLOCKED}count.info/end.php:
- http://{BLOCKED}p.com/805u7p?
- http://{BLOCKED}ly.ws/e4lqeg
As of this writing, the following sites are inaccessible:
- http://{BLOCKED}ount.info/end.php
- http://{BLOCKED}dssz.co.cc/laden.png
Connect with us on
| | | |