If you don’t already know, there’s malware going around through Facebook.
It starts off with the subject of:
i found a video with you in my camera.
You click on the link and you are led to a bunch of domains. One controlled by some ISP in Colorado, and then very-funny-webs.com . Do an nslookup on that one. Then you’re led to a server in Beijing and then finally to some poor computer that’s been hacked on port 7777.
Whatever you do, do not click that link!
Where was I? That computer automatically downloads a payload called: flash_update.exe
This is where things get interesting.
0000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
0000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode….$…….
Also, the dirty work of ruining your day is done here:
0003480: 454c 3332 2e44 4c4c 0041 4456 4150 4933 EL32.DLL.ADVAPI3
0003490: 322e 646c 6c00 5553 4552 3332 2e64 6c6c 2.dll.USER32.dll
00034a0: 0000 4c6f 6164 4c69 6272 6172 7941 0000 ..LoadLibraryA..
00034b0: 4765 7450 726f 6341 6464 7265 7373 0000 GetProcAddress..
00034c0: 5669 7274 7561 6c50 726f 7465 6374 0000 VirtualProtect..
00034d0: 5669 7274 7561 6c41 6c6c 6f63 0000 5669 VirtualAlloc..Vi
00034e0: 7274 7561 6c46 7265 6500 0000 4578 6974 rtualFree…Exit
00034f0: 5072 6f63 6573 7300 0000 5265 674f 7065 Process…RegOpe
0003500: 6e4b 6579 4578 4100 0000 4973 5769 6e64 nKeyExA…IsWind
0003510: 6f77 0000 0000 0000 0000 0000 0000 0000 ow…………..
The code seems to be messing around with your DLL’s in Windows which is bad. I’m on OS X, so I lucked out.
Anyway, I hope this piece of Malware didn’t get you and I hope those assholes burn in hell.
If anybody can add more details about how this malware works, please let me know.