Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Facibom.A

Aliases:Backdoor.Win32.Poison.bmnn (Kaspersky), TrojanDownloader:Win32/Tonick.gen!B (Microsoft), Generic.dx!sqg trojan (McAfee) 
Type of infiltration:Worm  
Size:1150976 B 
Affected platforms:Microsoft Windows 
Signature database version:5041 (20100419) 

Short description

Win32/Facibom.A is a worm that is spread via links in social networking sites.

Installation

The worm creates the following files:
  • %appdata%iecsrss.exe (1150976 B)
  • %appdata%ieremo.bat
The worm may create the following files:
  • %temp%iexplorer.tmp
  • %temp%mozzila.tmp
  • %temp%svchosts.exe
  • %temp%svchost.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "win" = "%appdata%iecsrss.exe"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "win" = "%appdata%iecsrss.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    RunServices]
    "win" = "%appdata%iecsrss.exe"

Information stealing

The following information is collected:
  • passwords
  • Windows Protected Storage passwords and credentials
The worm collects information related to the following applications:
  • Mozilla Firefox
  • Internet Explorer

Spreading

The worm spreads by sending messages to people that are "friends" with someone in the social network whose computer has already been infected.

The messages may contain any of the following texts:
  • is this you!!?!?? %url%
  • Is this you??!! %url%
  • Hey! Is this you!???? %url%
  • Hey! I think this is you? %url%
  • Hey! I think this is you?!!! Ha,ha were you drunk?? %url%
  • Hey! You look like the person in this video and i think it
    is you!???!! %url%
  • is this you!!?!?? %url%
  • Is this you??!! %url%
  • Hey! Is this you!???? %url%
  • Hey! I think this is you? %url%
  • Hey! I think this is you?!!! Ha,ha were you drunk?? %url%
  • Hey! You look like the person in this video and i think it
    is you!???!! %url%
  • Salut,c'est peut-etre ton video?!!? %url%
  • Salut,c'est peut-etre ton video?!!? %url%
  • Hola, esto eres tu?? %url%
  • Hola! Creo que esto eres tu %url%
A string with variable content is used instead of %url%.

Some examples follow.
screen1(1)(1).jpg
If the link is clicked a copy of the worm is downloaded.

The following social networking sites are affected:
  • facebook.com