Home / malwarePDF  

Trojan:JS/Febipos.E


First posted on 14 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:JS/Febipos.E.

Explanation :

Threat behavior

Installation

Trojan:JS/Febipos.E can be installed on your PC by Trojan:Win32/Febipos.B!dll.

Payload

When installed, Trojan:JS/Febipos.E tries to read a configuration file from remote server supbr.info/sqlvarbr.php.

The configuration file contains a list of commands for the trojan to do in a logged on Facebook account. This includes instructions to:

  • Like a page
  • Share
  • Post
  • Join a group
  • Invite friends to a group
  • Chat to friends
  • Comment on a post


Posts Facebook messages

We have seen Trojan:JS/Febipos.E post the following messages in Portuguese on the wall of a logged in Facebook account. It can also tag several of your friends:

  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google! Acho que vale a pena
    I found a video on Youtube teaching how to earn $$ on the internet through Google! I think it's worth it.
  • Nem eu acredito, mas é verdade.
    Even I don't believe it, but it's true.
  • Dificuldades para PERDER PESO? Com ULTRA SLIM você emagrece sem sofrer!
    Struggling to lose weight? With ULTRA SLIM you lose weight without suffering!
  • PERCA PESO, GANHE SAÚDE E AUTO-ESTIMA. SÀœ DEPENDE DE VOCÊ.
    Lose weight, gain in health and self-steem. It's only up to you.
  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google!
    I found a video on Youtube teaching how to earn $$ on the internet through Google!
  • Oportunidade: Google paga R$160 por hora para trabalhar em Casa!
    Opportunity: Google pays R$ 160 per hour to work from home!
  • Ganhe R$15.000 por mês trabalhando em Casa na Internet. Acesse o Link e saiba como!
    Earn R$15,000 per month working from home on the internet. Click on the link and find out how!


One of the following URLs is also included in the message:

  • dl.dropboxusercontent.com/<removed>/aan57i7rfpx6qo0/index.html
  • dl.dropboxusercontent.com/<removed>/kzsdfkep25dz1pi/index.html
  • dl.dropboxusercontent.com/<removed>/inxtfvhqti5hvvr/index.html


Below is an example of the Facebook post:



We have seen the links in these messages redirect to mprptrk.com/<removed>/v294v294e4p233r224w2t254/.

This site will then redirect again to one of the following URLs:

  • www.ultraslimsystem.com.br/<removed>/
  • gazetadaweb.com/<removed>/




Analysis by Jonathan San Jose

Symptoms

The following could indicate that you have this threat on your PC:



  • Your Facebook account will like and comment on pages that you didn't like or comment on

Last update 14 November 2013

 

TOP

Malware :

Family: