Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/Facibom.A

Aliases:	Backdoor.Win32.Poison.bmnn (Kaspersky), TrojanDownloader:Win32/Tonick.gen!B (Microsoft), Generic.dx!sqg trojan (McAfee)
Type of infiltration:	Worm
Size:	1150976 B
Affected platforms:	Microsoft Windows
Signature database version:	5041 (20100419)

Short description

Win32/Facibom.A is a worm that is spread via links in social networking sites.

Installation

The worm creates the following files:

%appdata%iecsrss.exe (1150976 B)
%appdata%ieremo.bat

The worm may create the following files:

%temp%iexplorer.tmp
%temp%mozzila.tmp
%temp%svchosts.exe
%temp%svchost.exe

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"win" = "%appdata%iecsrss.exe"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
Run]
"win" = "%appdata%iecsrss.exe"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices]
"win" = "%appdata%iecsrss.exe"

Information stealing

The following information is collected:

passwords
Windows Protected Storage passwords and credentials

The worm collects information related to the following applications:

Mozilla Firefox
Internet Explorer

Spreading

The worm spreads by sending messages to people that are "friends" with someone in the social network whose computer has already been infected.

The messages may contain any of the following texts:

is this you!!?!?? %url%
Is this you??!! %url%
Hey! Is this you!???? %url%
Hey! I think this is you? %url%
Hey! I think this is you?!!! Ha,ha were you drunk?? %url%
Hey! You look like the person in this video and i think it
is you!???!! %url%

A string with variable content is used instead of %url%.

Some examples follow.

If the link is clicked a copy of the worm is downloaded.

The following social networking sites are affected:

facebook.com