Fake 'Facebook Password Reset Confirmation' Email Contains Bredolab Trojan

Facebook says time to reset password? Facebook users better think twice before they open a "Password Reset Confirmation" email from Facebook. There's a new trojan variant of Bredolab on the loose that uses fake "Facebook Password Reset Confirmation" emails to spread itself. The fake "Facebook Password Reset Confirmation" email comes with an attached .exe, which according to the email message, contains the new password but instead the recipient is tricked into downloading the Bredolab-ridden file.

The trojan variant, with botnet capabilities, is known as Bredolab.gen.a, Trojan.Downloader.Bredolab.AZ (BitDefender), or W32/Obfuscated.D2!genr (Norman). Bredolab downloads from the Web and executes malicious files on an infected computer. Bredolab includes code that after it finishes encrypting user data files, it can quit the botnet after reboot or if an external program attempts to analyze its activities. With the Bredolab botnet, attackers can gain complete control of the PC and collect data; for example, steal personal information and send spam emails to the user's list of email addresses.

The 'From' address in the email shows as "The Facebook Team " but, in reality, the SMTP 'From' address is bogus. The message includes a .zip file attachment with an .exe file labeled Facebook_Password_4tf52.exe. The section between "_" and ".zip" is chosen randomly and comprises of letters and numbers. The malicious "Facebook_Password" .exe file connects to two servers, one server in the Netherlands and the other one in Kazakhstan, in order to download additional malicious files.

The fake "Facebook Password Reset Confirmation" email message reads:

Hey [Facebook User],
Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.
Thanks,
The Facebook Team

Trojan.Downloader.Bredolab.AZ will create the files %AppData%\wiaservg.log and %Programs%\Startup\isqsys32.exe. In order to bypass firewalls, Bredolab adds its own code into the real processes svchost.exe and explorer.exe. Then Bredolab will try to connect to the remote host 202.39.17.53 on port 80.

If you have a Facebook account and receive the fake "Facebook Password Reset Confirmation" email, don't be fooled by it at first sight with its seemingly reliable e-mail attachment and don't fall into a trap of attackers unwarily. Furthermore, if you did not request for a password reset from Facebook, there's no reason for you to be getting a "Password Reset Confirmation" email. And even if you did request for a password reset, Facebook is not going to send a new password as an email attachment.

How about you? Have you received the fake "Facebook Password Reset Confirmation" email with the Bredolab variant attached?

8 Comments

  • Becky Davidson :

    How do I restore my Facebook page. I beleive I did the Facebook Password Reset Confirmation, not releazing it was a fake. Can you please help me?

  • bank ks:

    view password facebook

  • Hactor:

    I received one today. I opened it but not the attachment. I quickly looked up websites and found yours. Glad I did. Thanks for the tip.

  • zinckingeye:

    im now safe to this email spam. what if my friends recieved this spam too and run the virus?

  • Radu:

    I received one. My AVG antivirus software did not detect the malware

  • courtney:

    ive tried evrything to reset my password and it says the same thing eeven tho i ret it can u help me plz?

  • Affinity:

    Great thinking! That really breaks the mold!

  • Rahul barfa:

    Password change

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.