MX Lab detected a new Bredolab variant masking itself as the “Facebook Password Reset Confirmation”. The From address in the email is shown as “The Facebook Team <
service@facebook.com>” but the real SMTP from address is spoofed.
The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. the part between _ and .zip at the end is choosen randomly and contains letters and numbers.
The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and
is only detected by 14 of the 41 AV engines at Virus Total.More here:
http://blog.mxlab.eu/2009/10/27/bredolab-masked-as-facebook-password-reset-confirmation/http://yfrog.com/0lmalfbpwmessagep
