Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 9 September 2008

An old friend added you as a friend on facebook

I received this one a few minutes ago, and am not normally excited at receiving "added you as a friend" stuff (I receive a ton of it from various social network sites, such as those I referenced previously), but this one caught my attention due to it's size - 290K, rather large for the e-mails I tend to receive.

Anywho, I decided to check it out, low and behold (you know whats coming), we gots ourselves both a worm and a little psychology going on "they'll think they gots friends and install our worm LOLZ!" - alas nope, I'm not that gullible.

The e-mail reads:


Facebook is a social utility that connects you with the people around you.

Facebook notifier

One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.

To see her picture please check your attachment.

Thanks,
The Facebook Team
Facebook © 2008


The attachment, picture.zip, contains (surprise surprise) a lovely little executable (picture.exe), and whilst my AV detected it as a worm (Worm/Agent.FT), I decided to upload it to VT anyway;

http://www.virustotal.com/analisis/792924e8c83e3f1230a0f8b44a11cddf

30/36 is unusually great - normally detection this high takes several weeks, not a couple days (it was apparently uploaded by someone else a couple days prior to my receiving it).

The entire e-mail + headers is as follows;


Exported by: Outlook Export v0.1.2

From: confirm-r16xa@facebookmail.com
E-mail:confirm-r16xa@facebookmail.com [ 204.15.20.125 - mx01.facebookmail.com ]
Date: 10/09/2008 09:15:07
Subject: An old friend added you as a friend on facebook
**************************************************************************
Links
**************************************************************************

Link: hxxp://www.facebook.com/
Domain: www.facebook.com
IP: 69.63.178.16 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://www.facebook.com/reset.php
Domain: www.facebook.com
IP: 69.63.178.16 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://static.ak.fbcdn.net/images/welcome/welcome_3.gif
Domain: static.ak.fbcdn.net
IP: 62.41.85.97 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<http://www.facebook.com/>
Email: Password:Remember me
Forgot Password? <http://www.facebook.com/reset.php>
<http://static.ak.fbcdn.net/images/welcome/welcome_3.gif>
Facebook is a social utility that connects you with the people around you.

Facebook notifier




One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.

To see her picture please check your attachment.


Thanks,

The Facebook Team

Facebook © 2008


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2><<A HREF="http://www.facebook.com/">http://www.facebook.com/</A>><BR>
Email: Password:Remember me<BR>
Forgot Password? <<A HREF="http://www.facebook.com/reset.php">http://www.facebook.com/reset.php</A>><BR>
 <<A HREF="http://static.ak.fbcdn.net/images/welcome/welcome_3.gif">http://static.ak.fbcdn.net/images/welcome/welcome_3.gif</A>><BR>
Facebook is a social utility that connects you with the people around you.<BR>
<BR>
Facebook notifier<BR>
<BR>
<BR>
<BR>
<BR>
One of your old classmates added you as a friend on Facebook. We need to confirm that you know her in order for you to be friends on Facebook.<BR>
<BR>
To see her picture please check your attachment.<BR>
<BR>
<BR>
Thanks,<BR>
<BR>
The Facebook Team<BR>
<BR>
Facebook © 2008<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <confirm-r16xa@facebookmail.com>
Delivered-To: services@[RMV]
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-123.livemail.co.uk (Postfix) with SMTP id 0B8545DE8AE
for <services@[RMV]>; Wed, 10 Sep 2008 09:18:41 +0100 (BST)
Received: from facebookmail.com (mail.squires.co.za [196.37.170.133])
by smtp-in-123.livemail.co.uk (Postfix) with ESMTP id D206F5DE96E
for <services@[RMV]>; Wed, 10 Sep 2008 09:17:13 +0100 (BST)
From: confirm-r16xa@facebookmail.com
To: services@[RMV]
Subject: An old friend added you as a friend on facebook
Date: Wed, 10 Sep 2008 10:15:07 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_BC1902DD.257BF8A1"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20080910081713.D206F5DE96E@smtp-in-123.livemail.co.uk>
X-Original-To: services@[RMV]


Needless to say, if you receive this - delete it!
Posted by MysteryFCM at 23:16

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)