Bredolab Malware spammed via fake Facebook Mails

The popularity of the social network Facebook is abused again to spread Malware via Email. The spam mails arrive with the subject “Facebook password has been changed. ID” and contain a ZIP archive as attachment.

Inside the ZIP a file with the name “Facebook_Document.exe” is located which is trying to look harmless by using the icon of a Microsoft Word document.

Upon execution of the file in the ZIP attachment, the Backdoor downloads a Microsoft Word document and opens it if Microsoft Word is installed.

The document consists only of some words and does not contain any further malicious content. The victim will think that the document is the only thing which is opened, and that it shows the new Facebook password. But in the background a fake antivirus called “Microsoft Security Essentials” is downloaded and gets installed on the computer. This is not the real MSE software from Microsoft of course.

Avira protects the customers from this threat and added detection for the Backdoor as BDS/Bredolab.B and for the fake antivirus as TR/FakeAV.gba starting with VDF version 7.11.1.175.

Thomas Wegele
Virus Researcher