Follow:

You have been re-routed to the Trojan:Win32/Acbot.A write up because Trojan%3aWin32%2fAcbot.A has been renamed to Trojan:Win32/Acbot.A
 

Trojan:Win32/Acbot.A


Trojan:Win32/Acbot.A is a trojan that posts messages to certain social media websites that you might access using a web browser. The messages posted by Trojan:Win32/Acbot.A contain a link to a copy of the trojan.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

Trojan:Win32/Acbot.A is a trojan that posts messages to certain social media websites that you might access using a web browser. The messages posted by Trojan:Win32/Acbot.A contain a link to a copy of the trojan.

Installation

This trojan may be encountered when visiting a link found on a social media website such as Twitter, Myspace and Facebook. The link, obfuscated as a shortened "bit.ly" URL, accompanies a message, such as "lol when was the last time you saw this pic? <link>". If you open the link, it redirects your browser to the website "hotfile.com", such as "<site>/dl/153994922/<deleted>/IMG_10_April25_www.Facebook.com_Profile.zip.html?YtQOEZ.png".

Payload

Downloads files

Acbot downloads two configuration data files named "1.txt" and "2.txt" from a website named "srv5000.<deleted>". The files are used to instruct Acbot on which social media services to post messages, such as Facebook or Twitter, and the format of the messages created by the trojan.

Posts links to social media websites

Acbot injects code into the popular web browsers Mozilla Firefox, Microsoft Internet Explorer, Google Chrome and Opera. Acbot monitors when you access the following social media sites and replaces outgoing comments, messages or status updates with content from one of the downloaded configuration files:

  • Myspace
  • Facebook
  • Bebo
  • Meebo
  • Twitter
Additional information

Trojan:Win32/Acbot.A tries to determine if your computer is running within a debug or virtual environment by looking for certain clues, for example it will quit if the following conditions are met:

  • If the file name of the trojan cotains any of these words:
    • sample , virus, sand-box, sandbox, malware, test
  • If the computer name contains any of these names:
    • VMG-CLIENT
    • MAKKK
    • Malekal
    • HOME-OFF-D5F0AC
    • DELL-D3E62F7E26
    • KAKAPROU-6405DA
  • If the Windows user name contains any of these names:
    • VMG-CLIENT
    • Malekal
    • Mak
    • HOME-OFF-D5F0AC
    • DELL-D3E62F7E26
    • KAKAPROU-6405DA
    • klasnich
  • If the following names are present in the registry subkey HKLM\SYSTEM\ControlSet001\Services\Disk\Enum\0:
    • VMware , VBox, VirtualQEMU
  • If any process name contains any of the following:
    • vbox
    • vmsrvc
    • vmware
    • tcpview
    • syssafe.exe
    • wireshark.exe
    • regshot.exe
    • procmon.exe
    • filemon.exe
    • regmon.exe
    • procdump.exe
    • cports.exe
    • procexp.exe
    • squid.exe
    • dumpcap.exe
    • sbiectrl.exe
  • If any of the following security applications are running
    • Wireshark
    • Microsoft Net Monitor
    • SmartSniff
    • CurrPorts
    • Process Monitor
    • Process Explorer
    • Ethereal

Analysis by Vincent Tiu


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • Your social media page(s) contain messages with hyperlinks such as the following:
    "lol when was the last time you saw this pic? <link>"
 

Prevention


Alert level: Severe
First detected by definition: 1.119.1423.0
Latest detected by definition: 1.185.3430.0 and higher
First detected on: Feb 06, 2012
This entry was first published on: Feb 06, 2012
This entry was updated on: May 30, 2012

This threat is also detected as:
  • Ransomer.ABI (Avira)
  • Generic Dropper.p (McAfee)
  • Mal/Rorpian-D (Sophos)
  • W32/Ransom.AJL (Norman)