[en] Virus Facebook hahaha (Lecpetex)

Some thread about a “Virus Facebok hahaha” thoses last days.
Seems some people go a private message with a zip file.



I dont have the Main zip sent by Facebook, but someone sent me an other zip related to this Virus.
it’s an interresting VBE script :

The VBE download some zip from dropbox and create a Temp directory to store the files.
it registed a DLL that is Bitcoin Miner : https://www.virustotal.com/fr/file/a775ad50757a3de35a3445fb6594cb4b5bc5ec4db34d63ec6b8bf852b6472d0b/analysis/

SHA256: a775ad50757a3de35a3445fb6594cb4b5bc5ec4db34d63ec6b8bf852b6472d0b
Nom du fichier : xml.exfffe
Ratio de détection : 10 / 53
Date d’analyse : 2014-06-10 22:16:20 UTC (il y a 29 minutes)

Ad-Aware Gen:Variant.Graftor.143340 20140610
AntiVir TR/Dropper.Gen 20140610
Avast Win32:Miner-B [PUP] 20140610
BitDefender Gen:Variant.Graftor.143340 20140610
ESET-NOD32 a variant of Win32/Injector.BEIE 20140610
Emsisoft Gen:Variant.Graftor.143340 (B) 20140610
F-Secure Gen:Variant.Graftor.143340 20140610
GData Gen:Variant.Graftor.143340 20140610
MicroWorld-eScan Gen:Variant.Graftor.143340 20140610
Symantec Suspicious.AD 20140610

Also the VBE is able using external utilities like ClickYes (maybe modified : https://www.virustotal.com/fr/file/618232771f97ded754fe06e0be4f47b8c1b13ca9030ef01774176791f354447b/analysis/ ) to get the Outlook contact list and spread by email.
To do that, it use a greek SMP Server :

.Item(“http://schemas.microsoft.com/cdo/configuration/sendusing”) = 2
.Item(“http://schemas.microsoft.com/cdo/configuration/smtpserver”) = “mailgate.otenet.gr”
.Item(“http://schemas.microsoft.com/cdo/configuration/smtpserverport”) = 587
.Item(“http://schemas.microsoft.com/cdo/configuration/smtpusessl”) = False
.Item(“http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout”) = 60
.Item(“http://schemas.microsoft.com/cdo/configuration/smtpauthenticate”) = 1
.Item(“http://schemas.microsoft.com/cdo/configuration/sendusername”) = “nastia26@otenet.gr”
.Item(“http://schemas.microsoft.com/cdo/configuration/sendpassword”) = “nat1978#”

Interresting !

I will try to get the zip file sent on Facebook, if different, will edit this thread if so.

EDIT – June 12

Facebook Malicious Spam example :

Virus #1Virus #2

Also, Someone sent me this article (in French) : http://forum.security-x.fr/securite-generale/vague-de-spams-malicieux-sur-facebook/
There is a sample, but a bit old : First submission 2014-05-28 15:43:35 UTC (il y a 2 semaines) => https://www.virustotal.com/fr/file/4bcb865060ec401b2ed1d20422ed00488e04884f9abd573ca9d41d666b1fe7fc/analysis/1402529232/
The Jar is trying to download zip at dropbox (maybe the same vbe script was there) but Dropbox has already removed all.

Seems also that Malwarebytes has already blog about it : http://blog.malwarebytes.org/security-threat/2014/03/malicious-messages-foray-facebook/


EDIT – June 23

Another article about this threat : http://thegoldenmessenger.blogspot.de/2014/06/malware-spread-over-facebook.html
According to the article, Microsoft detect the Jar with the name Java/Carastavona.E

EDIT – July 9 – Facebook takes down Lecpetex Botnet

Facebook takes down Lecpetex Botnet – more informations : https://www.facebook.com/notes/protect-the-graph/taking-down-the-lecpetex-botnet/1477464749160338

(Visité 101 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Les Tags : #Windows10 - #Windows - #Tutoriel - #Virus - #Antivirus - #navigateurs WEB - #Securité - #Réseau - #Internet