Analysis by: Anthony Joe Melgarejo
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This Trojan may be dropped by other malware.

  TECHNICAL DETAILS

File Size: 36,731 bytes
File Type: Other
Initial Samples Received Date: 25 Jul 2013

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_FEBUSER.A

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}natown.info/sqlvarch.php

NOTES:

The malware is installed as a Google Chrome extension or Mozilla Firefox add-on using the following names:

  • Mozilla Service Pack 5.0 (for Mozilla Firefox)
  • Chrome Service Pack (for Google Chrome)

It has the following routines depending on the corresponding social networking sites:

Facebook

  • Like Pages
  • Like Posts
  • Comment to Posts
  • Like External Links
  • Share Albums
  • Share Posts
  • Share Photos
  • Join Groups
  • Invite Friends to Groups
  • Update Status
  • Post to Wall
  • Chat Message
  • Join Events
  • Invite Friends to Events
  • Follow Profiles
  • Tag Friends to Wall Posts
  • Tag Friends to Events
  • Post Apps

Twitter

  • Follow
  • Retweet
  • Post

Google Plus

  • Like Page (+1)
  • Like Post (+1)
  • Share Post
  • Wall Post

Its configuration file contains what data to use for the mentioned activities above.

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 10.176.07
FIRST VSAPI PATTERN DATE: 25 Jul 2013
VSAPI OPR PATTERN File: 10.177.00
VSAPI OPR PATTERN Date: 25 Jul 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by JS_FEBUSER.A

Step 3

Scan your computer with your Trend Micro product to delete files detected as JS_FEBUSER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

To uninstall add-ons or plug-ins to your web browser, please follow these steps:

For Chrome users:

  • Refer to this page for uninstall extension instructions.
  • Select the Chrome Service Pack as the add-on or extension to remove or uninstall.

For Firefox users:

  • Refer to this page for add-on removal instructions.
  • Select the Mozilla Service Pack 5.0 as the add-on or extension to remove or uninstall.


Did this description help? Tell us how we did.