Re: IM trojan

["Brewer, Alex D" <Brewerad () MONTEVALLO EDU>]

Hi Dick,

If you can send me the hijack I can look into it, this sounds like W32.Koobface.B look for these processes  
C:\Windows\fbtre6.exe or C:\Windows\fmark2.dat if they exist then remove this entry in the registry 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"


Alex Brewer
Univesity of Montevallo
SungardHigherEd
brewerad () montevallo edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of RL Vaughn
Sent: Wednesday, July 21, 2010 6:25 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IM trojan

Dick Jacobson wrote:
> We got hit today with a trojan that is spreading through IM.  It 
> references a Facebook presence and contains an image.  When the message is 
> clicked on, the trojan spreads to that user's IM list and infects the 
> machine.
>
> The symptoms are not always consistent but most have gotten a pop-up when 
> the open a web browser which asks them to click to confirm they are a 
> human and not a robot.
>
> McAfee and MalwareBytes do not clean this; and we are rebuilding at least 
> 2 machines because of this.
>
> Anyone else seeing this and/or have a fix ??
>
>
> -----------------------------------------------------------------------
>      Dick Jacobson            e-mail : Dick.Jacobson () ndus edu
>      NDUS IT Security Officer office : STTC 219
>                       phone  : 701-231-6280
> -----------------------------------------------------------------------
Hi Dick,

Let me know if you need an appropriate Facebook contact.  Do you have a 
binary or md5 thereof?


Randy