TROJ_FEBUSER.AA

Posted: July 31, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	197

First Seen:	July 31, 2013
Last Seen:	March 6, 2023
OS(es) Affected:	Windows

TROJ_FEBUSER.AA is a Trojan that installs malicious plugins to Chrome and/or Firefox in an attempt to hijack the victim's social network accounts. Facebook, Google+ and Twitter all are affected by TROJ_FEBUSER.AA's attacks, which can be used to distribute malicious links and generate fraudulent profile information through invitations, posts, 'like' flags and status updates, among other functions. Because TROJ_FEBUSER.AA is distributed as a mislabeled download that tries to look like a normal software update, SpywareRemove.com malware researchers recommend avoiding software downloads from unofficial sources as your best bet against TROJ_FEBUSER.AA attacks, followed by using anti-malware tools to remove TROJ_FEBUSER.AA whenever it becomes necessary.

TROJ_FEBUSER.AA: the Facebook Abuser that Pretends to Update Your Software

TROJ_FEBUSER.AA utilizes multiple levels of deception in its attacks, including in the original installation process. Malicious sites hosting TROJ_FEBUSER.AA disguise TROJ_FEBUSER.AA as an update for popular media players, and an installed TROJ_FEBUSER.AA will attempt to download and install a secondary component – a browser plugin for either Chrome or Firefox – that is presented as a 'service pack' update. Which plugin TROJ_FEBUSER.AA chooses to install actually is based on which Web browser you use during the initial infection. Interestingly, SpywareRemove.com malware experts haven't seen any indicators of TROJ_FEBUSER.AA including attacks specific to the often-exploited Internet Explorer browser, or to any other browsers besides Firefox and Chrome.

The so-called 'service pack' installed by TROJ_FEBUSER.AA actually is a social account hijacker that takes over such major social networking profiles as those of Facebook, Google+ and Twitter. Armed with the ability to create artificial 'like' flags, generate its own messages, join groups, invite others to groups and change the profile's update status, this plugin could be a dangerously-effective distribution platform for other PC threats, including TROJ_FEBUSER.AA. SpywareRemove.com malware experts also warn that the disguises for these plugins have gone through several evolutions – with one of the latest samples including references to a legitimate security company F-Secure.

Breaking the Cycle of Social Network Abuse

Although TROJ_FEBUSER.AA's plugins may be visible as seemingly ordinary add-ons, removing them without also removing TROJ_FEBUSER.AA is unlikely to do either your PC or your social network accounts much, if any good. SpywareRemove.com malware researchers typically suggest using qualified anti-malware software to delete TROJ_FEBUSER.AA and malicious browser plugins. Afterward, you also may want to change most major account passwords related to your PC – particularly those for Facebook, Twitter and Google+.

Besides all of the other tricks through which TROJ_FEBUSER.AA conceals its malicious activities, many of TROJ_FEBUSER.AA's components also have been confirmed to use digital signatures – a security feature that's intended to authenticate the identities of 'safe' programs. While not the first to do so, TROJ_FEBUSER.AA's continued use of digital signatures on malicious files is just another indication that you never can trust a file unless you've downloaded from a source that you're certain is safe.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

facevideoupdt7.2_cn.exe

File name: facevideoupdt7.2_cn.exe
Size: 739.66 KB (739664 bytes)
MD5: 5cc58402f234c03e1ea96da8cab8ffc4
Detection count: 71
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 1, 2013

21.exe

File name: 21.exe
Size: 1.36 MB (1361375 bytes)
MD5: d96b05d0251ecc5527d17f3874df5561
Detection count: 70
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 1, 2013

fbvideoupdt7.3_cn.exe

File name: fbvideoupdt7.3_cn.exe
Size: 732.72 KB (732720 bytes)
MD5: 8ee8f916f4381a7242b4bb384f3bc6d9
Detection count: 69
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 1, 2013

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\temp.crx%TEMP%\fbinstupd.exeHKEY..\..\..\..{RegistryKeys}SOFTWARE\Microsoft\Tracing\fbinstupd_RASAPI32SOFTWARE\Microsoft\Tracing\fbinstupd_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\fbinstupd_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\fbinstupd_RASMANCS