The Trojan comes attached to an email message allegedly coming from Facebook. The spam message announces the user that the popular platform has updated their Terms of Service (included in the attachment) and every active subscriber must revise and accept it or else their access would be restricted. This is a typical scenario that relies on victims’ fear of being restricted or prosecuted unless they comply with the request.
However, the attached zip archive only contains a binary file, called agreement.exe and infected with Trojan.Sasfis.A. The 20-kilobyte file is a dropper, which means that it only downloads a dll file from the web and copies it either in %USERPROFILE%Local SettingsTemp[random digits].tmp or in %SYSTEM%ifmq.kqo. If the infected system has Microsoft Office installed, the malware would attempt to run a Visual Basic script with OLE automation in the context of MS Word’s process.
also features an update component, which makes it extremely dangerous, given the fact that an attacker may remotely install additional malware such as keyloggers.
Please remember that legitimate companies do not send messages containing attachments, but rather inform users on policy changes as they log into their account. You are also advised to install and regularly update a security solution with antimalware, anti-phishing and anti-spam modules.
Information in this article is available courtesy of BitDefender virus researcher Horea Coroiu.