Analysis by: Anthony Joe Melgarejo

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This Trojan may be manually installed by a user.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size: 30,989 bytes
File Type: Script
Memory Resident: No
Initial Samples Received Date: 10 Apr 2013
Payload: Connects to URLs/IPs

Arrival Details

This Trojan may be manually installed by a user.

Download Routine

This Trojan downloads an updated copy of itself from the following website(s):

  • http://{BLOCKED}t.info/updates/pt_PT/chrome-brasil.crx

Other Details

This Trojan connects to the following website to send and receive information:

  • http://{BLOCKED}ie.info/vars.php

NOTES:

This malware is a Google Chrome Extension that disguises itself as a Chrome Service Pack.

Everytime Google Chrome connects to facebook.com, the malware connects to the following sites:

  • http://{BLOCKED}s.{BLOCKED}e.com/ls/{random characters}

It could do the following without the user's consent:

  • Randomize friends list
  • Like pages in facebook
  • Like external links
  • Share album from a fanpage
  • Join a facebook group
  • Invite friends to a facebook group
  • Post a link to facebook wall
  • Update status
  • Open mass chat window
  • Join events
  • Invite friends to events
  • Obtain promo offers and post them
  • Comment on fanpage posts

It connects to the following URL to generate click profits:

  • http://{BLOCKED}s.{BLOCKED}g.us
  • http://{BLOCKED}r.info/adlinks.php

Here are some examples of its posts, comments and messages in Portugese:

Status/Wall Post:

  • GAROTA DE 15 ANOS ViTIMA DE BULLYING COMETE SUICDIO APOS MOSTRAR OS SEIOS NO FACEBOOK Video no link abaixo http://{Shortened Ad URL}
  • Translation: GIRL OF 15 YEARS bullied suicide COMMIT AFTER SHOW HER BREAST IN FACEBOOK Video on the link below

    Comment:

    • Tenha um Celta 0km pagando R$13,00 por dia
    • Translation: Have a Celtic 0km paying $ 13.00 per day

    Message:

    • Desculpa ai galera, mas isso eh um absurdo
    • Translation:Sorry guys there, but this is nonsense
    • Sonzinho sensa o do momento. Muito show!!
    • Translation: Little sound sensation of the moment. Very show!

    Post description:

    • Eu, n o tenho carro do ano, n o tenho grana sobrando, mas chego junto e...
    • Translation: I have no car of the year, I have no money left, but I come along and ...

  •   SOLUTION

    Minimum Scan Engine: 9.300
    FIRST VSAPI PATTERN FILE: 9.848.05
    FIRST VSAPI PATTERN DATE: 10 Apr 2013
    VSAPI OPR PATTERN File: 9.849.00
    VSAPI OPR PATTERN Date: 10 Apr 2013

    Step 1

    Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

    Step 2

    Scan your computer with your Trend Micro product to delete files detected as JS_KOOBFACE.JG. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

    NOTES:

    Step 2

    Uninstall the Google Chrome Extension Chrome Service Pack. You may refer to this Chrome Support page on how to remove it.


    Did this description help? Tell us how we did.