New Trojan Horse Threatens Facebook Users
OREANDA-NEWS. February 7, 2012. Doctor Web—the Russian anti-virus vendor—warns users of a Trojan.OneX program that uses infected machines to send spam via Facebook and messaging clients. Currently, two modifications of this Trojan horse with similar features are found regularly in the wild. Given the spreading scheme the number of victims can be extremely large.
Trojan.OneX runs only under 32-bit Windows versions. When run in a 64-bit system, it stops working after downloading a text file from a remote server. Once launched on the infected machine, Trojan.OneX.1 checks if its copy is already present in the system, and then decrypts the remote server address it will use to download a special text file. This file contains several lines in English such as “hahaha! http://goo.gl [...]. jpeg “, with which the Trojan horse substitutes messages the user tries to post to Facebook. Message text is replaced by strings from the file only in the chat mode. In such cases actual messages sent from the infected system are blocked. Every hour, the Trojan horse downloads a new configuration file from a remote server.
Trojan.OneX.1 looks for running processes with the names firefox, iexplore and IEXPLORE in the system, and, if found, injects its code into the processes. Then it takes control of functions responsible for sending messages.
Soon after the first modification of the Trojan horse had been discovered, Doctor Web's virus analysts got hold of another malware sample dubbed Trojan.OneX.2. Unlike the first version, the second modification uses popular messaging software processes such as skype, pidgin, aim, msnmsgr icq.exe, yahoom, ymsg_tray.exe, googletalk, xfire.exe instead of browsers. The mouse and keyboard connected to the infected system are blocked when a message is being sent. Unlike Trojan.OneX.1, Trojan.OneX.2 can parse configuration files in Unicode.
Комментарии