MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >” but the real SMTP from address is spoofed.

The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.

The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total.

The body of the email:

Hey vguysville ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).

This Bredolab variant will create the files %AppData%\wiaservg.log and %Programs%\Startup\isqsys32.exe. It will also create the process isqsys32.exe and svchost.exe.

It will attempt to connect with the remote host 202.39.17.53 on port 80. The data identified by the following URL was then requested from the remote web server: hxxp://mmsfoundsystem.ru/public/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&v=15&rnd=8520045

Virus Total permlink and MD5: e3edffb53e463bc6e3f498c8aaa1e447.