Win32/Fbphotofake [Threat Name] go to Threat

Win32/Fbphotofake.A [Threat Variant Name]

Category worm
Size 175104 B
Aliases Hacktool.Spammer (Symantec)
  Spammer:Win32/Fbphotofake.A (Microsoft)
Short description

Win32/Fbphotofake.A is a worm that spreads through social networking sites. The worm is usually a part of other malware.


When executed, the worm copies itself into the following location:

  • %appdata%\­%variable1%.exe

The worm schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­%variable1%.exe

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­facebook]
    • "Login" = "%variable2%"
    • "Password" = "%variable3%"
    • "Count" = %number1%
    • "%variable4%" = %number2%
  • [HKEY_CURRENT_USER\­Software\­facebook]
    • "Login" = "%variable2%"
    • "Password" = "%variable3%"
    • "Count" = %number1%
    • "%variable4%" = %number2%

A string with variable content is used instead of %variable1-4%, %number1-2% .


The worm spreads by sending messages to people that are "friends" with someone in the social network whose computer has already been infected.

The message contains a URL link to a website containing malware.

The following social networking sites are affected:

  • Facebook
Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains an URL address.

The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.