Reading Time: ~ 2 min.

Facebook users, watch what you click on!

Cybercriminals are currently mass mailing bogus “Facebook Account Cancellation Requests“, in an attempt to trick Facebook’s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host.

More details:

Sample screenshot of the spamvertised email:


Sample client-side exploitation chain: hxxp:// -> hxxp:// -> hxxp:// -> hxxp:// -> hxxp:// -> hxxp://

Sample client-side exploits served: CVE-2010-0188CVE-2011-3544CVE-2010-0840

Malicious domain name reconnaissance: – – Email:

Domains responding to the same IP, including domains also registered with the same GMail account:

Upon successsful client-side exploitation, the campaign drops MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56 – detected by 3 out of 46 antivirus scanners as PWS-Zbot.gen.aru

Upon execution, the sample creates the following file on the affected hosts:
%AppData%Ixriyvemarosa.exe – MD5: A33684FD2D1FA669FF6573921F608FBB

It also creates the following directories:

As well as the following Mutex:

It then phones back to ( on port 8012. Another similar subdomain on this host (, was also seen in a crowdsourced DDoS campaign in 2009.

Historically, more malware is known to have been hosted at another subdomain (hxxp:// in 2011. List of associated MD5s:
MD5: e58fe6d04e8d9fce1020f532d3f0bd49 – detected by 40 out of 44 antivirus scanners as Backdoor.Win32.Delf.yqo
MD5: 60fde61eea4da0601a294d8cac18fb85 – detected by 37 out of 42 antivirus scanners as Backdoor:Win32/Hupigon.EA
MD5: ac95c84a99edd65b00fbc845f8e167f0 – detected by 38 out of 42 antivirus scanners as TrojanDropper:Win32/Delfsnif.A
MD5: 7487bbfadde66edddf131b879382a9ef – detected by 38 out of 43 antivirus scanners as Trojan-PSW.Win32.Bjlog.vge
MD5: 6cf58ce47e4a9163ecf2e5e0498d3fa8 – detected by 38 out of 43 antivirus scanners as Worm.Win32.AutoRun.davw
MD5: a694f0c6a0b64cc3601d946f63330a23 – detected by 34 out of 44 antivirus scanners as Trojan.RAR.Qhost.c

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This