FBI v.s Facebook Spam

This morning I checked one of our mailboxes here in the US and discovered this very interesting spam message containing the subject line “F.B.I may strike facebook“. When I investigated further, the body of the message consisted of text such as: “F.B.I Facebook Records” with a link to a URL that appeared to be a daily news site.

When you visit the URL the site will automatically download an executable fbi_facebook.exe tricking the user into believing that the article is being viewed. However, the executable is not the so call article that they are mentioning here, but a Trojan.


File size: 93548 bytes
MD5…: fb1a39398efd85bafb22e9fc220077ce
SHA1..: 784a8b27bdcc1820282094a9be8691fee79ad73c
SHA256: 08c41c3109c5a1105f04151d6288b91520f8ad7e5058f326419704ed8edb5374
SHA512: 293c8a849b7c9b86dadf7ebbbc8661535a627ba0be6bc5f2fff9525ae3793790
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x405598
timedatestamp…..: 0x488e95e5 Tue Jul 29 04:00:37 2008
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0x1000 0x4620 0x4800 7.88 227a121cd564fa93c0b3cb3b54ec349a
.rdata 0x6000 0x12f 0x200 7.61 38ed1ae64ec215e332eefb1d8a5ec253
.data 0x7000 0x820 0xa00 7.92 45dc9ac3dc99703c85bd9ff20e65b21c
.mdata 0x8000 0x10f10 0x11000 8.00 d88a0bf187575769c566908716507b7e
.CRT 0x19000 0x4 0x200 7.60 3e92819be4f67d671e12b3ae9b1f249e


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: