Win32/Facibom [Threat Name] go to Threat

Win32/Facibom.A [Threat Variant Name]

Category worm
Size 1150976 B
Aliases Backdoor.Win32.Poison.bmnn (Kaspersky)
  TrojanDownloader:Win32/Tonick.gen!B (Microsoft)
  Generic.dx!sqg.trojan (McAfee)
Short description

Win32/Facibom.A is a worm that is spread via links in social networking sites.


The worm creates the following files:

  • %appdata%\­ie\­csrss.exe (1150976 B)
  • %appdata%\­ie\­remo.bat

The worm may create the following files:

  • %temp%\­iexplorer.tmp
  • %temp%\­mozzila.tmp
  • %temp%\­svchosts.exe
  • %temp%\­svchost.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "win" = "%appdata%\­ie\­csrss.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "win" = "%appdata%\­ie\­csrss.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "win" = "%appdata%\­ie\­csrss.exe"
Information stealing

The following information is collected:

  • passwords
  • Windows Protected Storage passwords and credentials

The worm collects information related to the following applications:

  • Mozilla Firefox
  • Internet Explorer

The worm spreads by sending messages to people that are "friends" with someone in the social network whose computer has already been infected.

The messages may contain any of the following texts:

  • is this you!!?!?? %url%
  • Is this you??!! %url%
  • Hey! Is this you!???? %url%
  • Hey! I think this is you? %url%
  • Hey! I think this is you?!!! Ha,ha were you drunk?? %url%
  • Hey! You look like the person in this video and i think it is you!???!! %url%
  • Salut,c'est peut-etre ton video?!!? %url%
  • Salut,c'est peut-etre ton video?!!? %url%
  • Hola, esto eres tu?? %url%
  • Hola! Creo que esto eres tu %url%

A string with variable content is used instead of %url% .

Some examples follow.

If the link is clicked a copy of the worm is downloaded.

The following social networking sites are affected:


Please enable Javascript to ensure correct displaying of this content and refresh this page.