Yesterday a colleague of mine forwarded me an email that she had got in the name of another colleague. The title of the email was “Facebook Password Reset Confirmation”. The reply-to address was given as service@facebook.com which was a little strange because whenever I get a mail from facebook, the domain is always facebookmail.com. I got suspicious and decided to investigate the issue.

Upon looking into the mail closely, there was an attachment named Facebook_Password_3eb0e.zip. To this point I was sure that this was a virus or something. I uploaded the attachment to virustotal.com which is a service which scans the file through all major antivirus systems. You can see the results by going to the following link:

Virus Total Results For Facebook Virus

You can see that most of the antivirus systems have identified the Facebook_Password_3eb0e.zip file as a trojan.

So what does this trojan do? Upon opening and running Facebook_Password_3eb0e.zip, it will call rogue anti spywares and will inject its own code in legitimate Windows processes like svchost.exe. And a lot of other things things to infect the system fully.

And how did it manage to send it from my friend’s facebook account? Most probably, your friend’s account has been compromised. Facebook is aware of the situation and advises to change the password of your facebook account immediately if it has been sent from your account or if it is from your friend’s account, ask them to change their passwords immediately and scan their computers with an up to date antivirus.

For further reading about this issue, please follow:

Facebook Security Advice

CNET News

M86 Security