Today I stumbled across a new trojan/password stealer that installs itself through Sun Microsystems Java.
Users receive an email such as:
Amy Fibro commented on your photo.
To see the comment thread, follow the link below:
The Facebook Team
This email is not from facebook. If you look at the link on the email - it points to a different URL that contains the java application which installs the virus.
With a default install of Internet Explorer 8 with all latest security updates and patches up to 26/11/2010 and default security settings the worm was able to automatically install itself.
The worm adds itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it can automatically execute upon startup.
The worm also changes the internet explorer security settings by modifying a series of registry keys.
The following Registry Values were modified:
The worm is also capable of infecting executables.
The malware injects codes into the address space of the following processes to mask its presence:
If you do not run your PC as administrator the worm will not have permissions to infect beyond your user profile.
The worm collects FTP credentials (IP, port, username, and passwords) from the following FTP software:
The worm also has a keylogger for logging all other password related activity such as bank accounts etc.
When installed the worm copied itself to:
%APPDATA%\<random letters%>\<random letters>.exe
For example for me it called itself niba.exe.
When the virus is running the description the virus gives itself in task manager is Windows Defender.
Running the virus through one of my favorite sites virscan.org we see that only some antivirus companies detect it and the ones that do only come back with a generic detection.
I will be submitting the virus sample to the other anti-virus companies to get this worm indexed ASAP.