Facebook Password Reset spam continues

March 22, 2010

SonicWALL UTM Research team continued to monitor the email spam campaign with the theme related to popular social networking website Facebook. This current spam campaign is not as huge in terms of volume of spammed emails as compared to what we saw and covered in SonicAlert - New Bredolab spam campaigns

The email pretends to arrive from Facebook telling the user that their password have been changed and further instructs them to open the attachment to receive their new password. Like in previous campaigns, the email has zip archived attachment which contains an executable file. The sample e-mail format is shown below:

Campaign: Facebook Password Reset file spam

Attachment: Facebook_password_346.zip (contains Facebook_password_346.exe)

Subject: Facebook Password Reset Confirmation! Important Message

Email Body:
Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Your Facebook.


The email message looks like below:


The malicious executable file attachment uses an icon similar to MS Word document to lure users into opening the file. The file looks like this:


If the user downloads and executes the attached malicious file, it performs the following activities:


  • Drops a DLL file nnfj.tqo (20,480 bytes) in %System% directory and runs it.
  • The dropped DLL file looks like this:


Registry Changes:

    The DLL file modifies the following registry entry to ensure that it starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
    Value: "Shell"
    Original Data: "Explorer.exe,"
    Modified Data: "Explorer.exe rundll32.exe nnfj.tqo nhemkk"

Remote Connection:

    The DLL file tries to connect to a remote URL http://funnylive201(REMOVED)/bb.php and may download additional malware.

Facebook is already aware of this email spam and has issued a warning on their website.

This Trojan is also known as Oficla.M [Microsoft], Oficla.EV [ESET], and Mal/FakeAV-BW [Sophos].

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Suspicious#fakeav_2 (Trojan) [673,532 hits recorded starting March 02, 2010]
  • GAV: Oficla.M_2 (Trojan)