Facebook-profile-photo malware | Analysis

[Ceyfer √]

A friend of mine had sent me a facebook photo icon. During my initial analysis, I found out that it was not a simple Facebook icon, the file itself is using a double extension trick and it is indeed an executable file rather than a simple image icon. Well, this trick has been here for some time, but still, it is pretty effective for some trigger-happy users. So make sure to uncheck hide extensions for known file types to detect any malicious file by advance.

See the potentially dangerous file extensions!

Code:

    .EXE  (machine language)
    .COM  (machine language)
    .VB   (Visual Basic script)
    .VBS  (Visual Basic script)
    .VBE  (Visual Basic script-encoded)
    .CMD  (batch file - Windows)
    .BAT  (batch file - DOS/Windows)
    .WS   (Windows script)
    .WSF  (Windows script)
    .SCR  (screen saver)
    .SHS  (OLE object package)
    .PIF  (shortcut to DOS file plus code)
    .HTA  (hypertext application)
    .JAR  (Java archive)
    .JS   (JavaScript script)
    .JSE  (JScript script)
    .LNK  (shortcut to an executable)

The malware is a trojan downloader which is stubbornly the hardest to detect of all the trojan variants. Mainly, because it only acts as file downloader manager which creates a backdoor gate for the real malicious payload. Some AV only treat the trojan agent as a legitimate file, thus escaping the detection pattern and later flag it once it comes in contact with the real payload or only during post execution.


VirusTotal Analysis
Here's the analyses: 8/ 41 (19.5%)

Code:

BitDefender - 7.2 - 2011.06.20 - Gen:Trojan.Heur.aqW@XcQsPlmi 
F-Secure - 9.0.16440.0 - 2011.06.20 - Gen:Trojan.Heur.aqW@XcQsPlmi 
GData - 22 - 2011.06.20 - Gen:Trojan.Heur.aqW@XcQsPlmi 
Ikarus - T3.1.1.104.0 - 2011.06.20 - Gen.Trojan.Heur 
Kaspersky - 9.0.0.837 - 2011.06.20 - UDS:DangerousObject.Multi.Generic 
McAfee - 5.400.0.1158 - 2011.06.20 - Artemis!4EC9AB3272F2 
McAfee-GW-Edition - 2010.1D - 2011.06.20 - Heuristic.BehavesLike.Win32.Downloader.J 
Sophos - 4.66.0 - 2011.06.20 - Mal/Generic-L 

MD5: 4ec9ab3272f247067e086b7b2d902d50
SHA1: 1b62a8ffdec885daa796b74fb3c4f6853fe6462c
SHA256: 31366d1a65816daf9112460e28a2f6d3d5464528fbb4089afb24dec99963a52b
File size: 7680 bytes
Scan date: 2011-06-20 10:16:17 (UTC)

ThreatExpert

Code:

http://www.threatexpert.com/report.aspx?md5=4ec9ab3272f247067e086b7b2d902d50

Summary of the findings: Downloads/requests other malicious files from Internet.


The Microsoft Malware Protection Center (MMPC)

Code:

https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=D410FFAC-7CC4-44C9-A94B-AA3BEA82A1E9

Detection Status: TrojanDownloader:Win32/Willsienod.A

[SAMEERA]

Thanks for valuable information, specially about Facebook profile photo malware..

[Bearcat]

Thanks for the info Ceyfer! It's always good to be aware of this kind thing.

[JayCub]

Cheers Ceyfer appreciate the information although it does create a couple of headaches along the way... as Bear mentioned it is alway good to be aware

[INDRANIL]

Thanks for the heads up ceyfer .