New F.B.I. vs Facebook Storm Wave (July 31, 2008)


July 31, 2008

Storm worm authors have changed their spam campaign which now involves fake news story about the FBI and Facebook. Starting July 29, 2008, a new wave of storm e-mails are being spammed with following subjects:

  • F.B.I. can watch our conversation through Facebook
  • FBI agents patrol Facebook
  • FBI may strike Facebook
  • FBI on the Hunt for Facebook users
  • F.B.I. bypasses Facebook to nail you
  • F.B.I. Looks Into Facebook
  • F.B.I. are spying on your Facebook profiles
  • F.B.I. busts alleged Facebook
  • Get Facebooks F.B.I. Files
  • Facebooks F.B.I. ties
  • F.B.I. watching you
  • The FBIs plan to profile Facebook
  • The FBI has a new way of tracking Facebook

In this new wave, they are using IP Addresses or a domain in the URL spammed via e-mail. Here are a few examples of such e-mails:


The user will see the following page when he or she clicks on the link in the e-mail:


The email contains a fake message related to the FBI and facebook. If the user clicks on the link on the page, it will prompt to download fbi_facebook.exe file which is the new variant of Storm worm.


It also drops the following files on the system:

 C:WINDOWSglok+serv.config C:WINDOWSglok+59e6-7783.sys 

It also creates a new service for the glok+59e6-7783.sys and runs it.

SonicWALL detects this new wave with following signatures:

GAV: Zhelatin.ZI (Worm) – Released on July 23, 2008
GAV: Zhelatin.ZM (Worm) – Released on July 29, 2008
GAV: Zhelatin.ZM_2 (Worm) – Released on July 30, 2008


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.