Analysis by: Anthony Joe Melgarejo
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This Trojan may be dropped by other malware.

  TECHNICAL DETAILS

File Size: 36,731 bytes
File Type: Other
Initial Samples Received Date: 25 Jul 2013

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_FEBUSER.AA

Download Routine

This Trojan connects to the following URL(s) to download its configuration file:

  • http://{BLOCKED}natown.info/sqlvarch.php

NOTES:
The malware is installed as a Google Chrome extension or Mozilla Firefox add-on using the following names:

  • Mozilla Service Pack 5.0 (for Mozilla Firefox)
  • Chrome Service Pack (for Google Chrome)

It has the following routines depending on the corresponding social networking sites:

  • Facebook
    Like Pages
    Like Posts
    Comment to Posts
    Like External Links
    Share Albums
    Share Posts
    Share Photos
    Join Groups
    Invite Friends to Groups
    Update Status
    Post to Wall
    Chat Message
    Join Events
    Invite Friends to Events
    Follow Profiles
    Tag Friends to Wall Posts
    Tag Friends to Events
    Post Apps
  • Twitter
    Follow
    Retweet
    Post
  • Google Plus
    Like Page (+1)
    Like Post (+1)
    Share Post
    Wall Post

Its configuration file contains what data to use for the mentioned activities above.

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 10.176.07
FIRST VSAPI PATTERN DATE: 25 Jul 2013
VSAPI OPR PATTERN File: 10.177.00
VSAPI OPR PATTERN Date: 25 Jul 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by JS_FEBUSER.AA

Step 3

Scan your computer with your Trend Micro product to delete files detected as JS_FEBUSER.AA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:
To uninstall add-ons or plug-ins to your web browser, please follow these steps:

For Chrome users:

  1. Refer to this page for uninstall extension instructions.
  2. Select the Chrome Service Pack as the add-on or extension to remove or uninstall.

For Firefox users:

  1. Refer to this page for add-on removal instructions.
  2. Select the Mozilla Service Pack 5.0 as the add-on or extension to remove or uninstall.


Did this description help? Tell us how we did.

Related Malware