A new wave of fake Facebook spam mails with subject “Facebook Notification sent you a message on Facebook…” or “Facebook Support sent you a message on Facebook…” has been spread recently.

Fake facebook notification

When clicking the fake link “To read this message”, instead of accessing Facebook, the user will get redirected to websites containing malicious code for downloading virus to the user’s computer or to websites selling Viagra. There are many domains used in this wave of attack such as: monicapredatu.go.ro, berks.net, esglesiadepremia.org, nictdextranet.com,  autowatch.home.ro and w2webdesign.com, etc.

Bkav recommends users to raise their awareness when receiving emails with such subjects and regularly update antivirus software on their computers

Bkis

Only a few days after the emergence of the worm spreading via Yahoo! Messenger (Ymfocard), we have detected a new and more sophisticated wave of attacks targeting both Skype and Yahoo! Messenger.

Messages with different contents sent via Skype

Still using the method of inserting malicious URLs into chat windows like Ymfocard, however, social engineering skill of the Worm, this time, is much more sophisticated than the previous one.

Each time spreading, the messages sent by the Worm have different contents, for example, “Does my new hair style look good? bad? perfect?“, “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?“… The users are more easily tricked into clicking the link by these messages, because users tend to think that “their friend(s)” are asking for advices. Moreover, the URL shows a .JPG file to users, reinforcing the users’ thought of an image file.

If an user clicks the link, his browser will immediately load to a website with Rapidshare-like interface, and a .zip file will be available for download.

Rapidshare-like interface

A .zip file is available for download

The extracted file is actually an executable file with .com extension. However, this file is disguised as a .JPG file and cleverly covered as a .com domain (where the file is hosted).

After analyzing the worm, we find out that the worm has more compilicated functions and operations than Ymfocard. The worm:

• Automatically exits if the victim’s computer is not installed with Skype or Yahoo! Messenger.
• Automatically sends messages with different contents containing malicious URLs to user names in Skype/Yahoo! Messenger friend list of the user
• Automatically injects malicious link in to Word, Excel files or email that being composed.
• Connects to IRC server to receive commands from hacker
• Blocks operations of antivirus software
• Anti virtual machine and sandbox
• Uses rootkit technique to hide its files and processes
• Prevents users from accessing more than 700 websites of security or antivirus
• Automatically copies itself along with file Autorun.inf into USB drives to spread

Bkav has detected this Worm as W32.Skyhoo.Worm

Once again, we would recommend IM users to be careful before clicking any links received, even from your friends or relatives. Besides, users should regularly update their antivirus softwares on their computers.

Bkis

Yahoo! Messenger users are in danger of being attacked by a new type of worm spreading via the software.

The user will receive from his friend a message which includes a link pretending to be an image link. However, when the user click this link, his browser will download a dangerous .exe file. If he runs the .exe file, his computer is infected, and the malware, then continues to send malicious links to accounts in the user‘s friend list. Now, the user’s account has become a source to distribute malicious links to other users.

The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users. Bad guys have integrated some phishing elements to trick the user into clicking the link and then opening the downloaded file.

Knowing that IM users often share links between each other, attackers have written malware distributing the fake links as image links. The downloaded .exe file itself is also disguised as an image file.

Bkav has detected this worm as W32.Ymfocard.fam.Botnet. When infecting computers, this worm automatically popups a window to a website, automatically spreads via Yahoo! Messenger. Follows are some behaviors of this malware:

1. Automatically popups page: http://browseusers.myspace.com/Browse/Browse.aspx when virus runs for the first time.

2. Writes key

• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] ”Firewall Administrating” = “c:\windows\infocard.exe”
• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] ”Firewall Administrating” = “c:\windows\infocard.exe”

To run virus at Windows startup.

3. Writes key:

• [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List] To bypass firewall

4. Copies itself to folder %WinDir% as “infocard.exe”

5. Dumps file %WinDir%\winbrd.jpg

6. Automatically distributes malicious links via YM

• http://mig[removed]tos.com/image.php
• http://www.k[removed]nk.com/image.php
• …………

Yahoo! Messenger users should raise their awareness when receive unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers.

Bkis