Skip to content

Export page to PDF
JS_FEBUSER.A
Malware type: Trojan
Destructive: No
Platform: Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Encrypted: No
In the wild: Yes

Overview


Infection Channel: Dropped by other malware

This Trojan may be dropped by other malware.

Technical Details


File size: 36,731 bytes
File type: Other
Initial samples received date: 25 Jul 2013

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_FEBUSER.A

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}natown.info/sqlvarch.php

NOTES:

The malware is installed as a Google Chrome extension or Mozilla Firefox add-on using the following names:

  • Mozilla Service Pack 5.0 (for Mozilla Firefox)
  • Chrome Service Pack (for Google Chrome)

It has the following routines depending on the corresponding social networking sites:

Facebook

  • Like Pages
  • Like Posts
  • Comment to Posts
  • Like External Links
  • Share Albums
  • Share Posts
  • Share Photos
  • Join Groups
  • Invite Friends to Groups
  • Update Status
  • Post to Wall
  • Chat Message
  • Join Events
  • Invite Friends to Events
  • Follow Profiles
  • Tag Friends to Wall Posts
  • Tag Friends to Events
  • Post Apps

Twitter

  • Follow
  • Retweet
  • Post

Google Plus

  • Like Page (+1)
  • Like Post (+1)
  • Share Post
  • Wall Post

Its configuration file contains what data to use for the mentioned activities above.

Solution


Minimum scan engine: 9.300
First VSAPI Pattern File: 10.176.07
First VSAPI Pattern Release Date: 25 Jul 2013
VSAPI OPR Pattern Version: 10.177.00
VSAPI OPR Pattern Release Date: 25 Jul 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by JS_FEBUSER.A

Step 3

Scan your computer with your Trend Micro product to delete files detected as JS_FEBUSER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

To uninstall add-ons or plug-ins to your web browser, please follow these steps:

For Chrome users:

  • Refer to this page for uninstall extension instructions.
  • Select the Chrome Service Pack as the add-on or extension to remove or uninstall.

For Firefox users:

  • Refer to this page for add-on removal instructions.
  • Select the Mozilla Service Pack 5.0 as the add-on or extension to remove or uninstall.


Did this description help? Tell us how we did.
Analysis By: Anthony Joe Melgarejo

Connect with us on