Facebook Password Reset spam continues (Mar 19, 2010)


SonicWALL UTM Research team continued to monitor the email spam campaign with the theme related to popular social networking website Facebook. This current spam campaign is not as huge in terms of volume of spammed emails as compared to what we saw and covered in SonicAlert – New Bredolab spam campaigns

The email pretends to arrive from Facebook telling the user that their password have been changed and further instructs them to open the attachment to receive their new password. Like in previous campaigns, the email has zip archived attachment which contains an executable file. The sample e-mail format is shown below:

Campaign: Facebook Password Reset file spam

Attachment: Facebook_password_346.zip (contains Facebook_password_346.exe)

Subject: Facebook Password Reset Confirmation! Important Message

Email Body:
Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Your Facebook.


The email message looks like below:


The malicious executable file attachment uses an icon similar to MS Word document to lure users into opening the file. The file looks like this:


If the user downloads and executes the attached malicious file, it performs the following activities:


  • Drops a DLL file nnfj.tqo (20,480 bytes) in %System% directory and runs it.
  • The dropped DLL file looks like this:


Registry Changes:

    The DLL file modifies the following registry entry to ensure that it starts on every system reboot:

    Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Value: “Shell”
    Original Data: “Explorer.exe,”
    Modified Data: “Explorer.exe rundll32.exe nnfj.tqo nhemkk”

Remote Connection:

    The DLL file tries to connect to a remote URL http://funnylive201(REMOVED)/bb.php and may download additional malware.

Facebook is already aware of this email spam and has issued a warning on their website.

This Trojan is also known as Oficla.M [Microsoft], Oficla.EV [ESET], and Mal/FakeAV-BW [Sophos].

SonicWALL Gateway AntiVirus provides protection against this spam campaign via following signatures:

  • GAV: Suspicious#fakeav_2 (Trojan) [673,532 hits recorded starting March 02, 2010]
  • GAV: Oficla.M_2 (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.