Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll.
Figure 1: The plugin tries to look legitimate in Internet Explorer add-ons
Spamming links on Facebook
When installed and loaded successfully Trojan:Win32/Febipos.B!dll will attempt to load a configuration file that it downloads from supbr.info/<removed>.php. It can then access a logged in Facebook account to:
We have seen it post the following messages in Portuguese on the wall of a logged in Facebook account. It can also tag several of the affected user’s friends:
One of the following URLs is also included in the message:
It may also use one of the following images:
Figure 2: An example of the images used by Trojan:Win32/Febipos.B!dll in Facebook spam
Here is an example of the Facebook post:
Figure 3: An example Trojan:Win32/Febipos.B!dll Facebook post
When someone clicks on the link in the message, they are redirected to mprptrk.com/<removed>/v294v294e4p233r224w2t254/. This site will then redirect again to one of the following URLs:
We have seen Trojan:Win32/Febipos.B!dll being dropped and loaded by Trojan:Win32/Febipos.B with the path and filename %appdata%\WService.dll. It is loaded using the legitimate Windows application named regsvr32.exe. This application is used to register dynamic-link libraries and ActiveX controls in the registry.
The trojan creates the following registry entries to register itself as a browser helper object:
It will also create the following registry entry to ensure it is only loaded in Internet Explorer and not in Windows Explorer:
The following registries entries are also created to disable some Internet Explorer notifications:
All of the above information was found at the time of our analysis; however, these websites can change at any time. In any case, we always recommend you keep your security products up-to-date with the latest definitions to help reduce your chance of infection.
Jonathan San JoseMMPC
5cbd9c1e870b09fdd4b67e7610acbea8dddee9bd - Trojan:Win32/Febipos.B361546e95a79b96a15e15ab82b1849f68b7381b2 - Trojan:Win32/Febipos.B!dllbad556fb373e14f7041b3361ca450b2156a5ecda - Trojan:JS/Febipos.E