tries to contact a remote server to get the list of URLs that it uses in the messages it spreads on Facebook and Skype.
We have seen it try to contact the following servers:
The worm then searches for Facebook authentication cookies from the following web browsers:
It also tries to gather Facebook authentication cookies for Firefox using SQLite.
It might copy itself as <current folder>\bluetoothheadsetproxy.exe. This name can change and is hardcoded inside the malware binary.
uses the cookies it finds to try and send private messages to all your online Facebook friends.
The message includes a link to a malicious website. Both the malicious website URLand the message text can change.
The worm monitors whether Skype is installed on your PC and tries to distribute other malware using the web link retrieved from the C&C server.
We have seen this worm being downloaded and installed by Trojan:Win32/Napolar.A.
Downloads other malware
The URL that the worm uses in the messages it sends can redirect to malicious websites that install other malware on your PC.
A hacker can also tell the worm to uninstall itself from your PC to remove older versions of itself.
Analysis by Rodel Finones
The following could indicate that you have this threat on your PC:
- You or your friends receive message from your Facebook or Skype account that you didn't write