Security researchers from Bitdefender have warned that a new instant messaging Trojan has infected hundreds of computers all over the world.
Identified as Gen:Variant.Downloader.167 by Bitdefender, the malware distributes itself through Facebook’s instant messaging feature and Yahoo Messenger.
Experts say the Trojan relies on “polite” messages, which it sends from infected computers to users from the victim’s contact list. The malicious messages read something like this: “I want to post these pictures on Facebook, do you think it’s OK?”
The messages are accompanied by links to popular file sharing services like Fileswap and Dropbox where the threat is hosted. Bitdefender experts have told SecurityWeek that the malicious file is first executed without parameters. The malware then creates a folder with a random name in Application Data and it copies itself to this folder with a random name and an “.exe” extension.
Then, it creates a registry entry in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the name Counter Background WWAN Thread Mapper User NetBIOS. Once all this is done, the victim is presented with the following error message in an effort to avoid raising any suspicion: “This application is not compatible with the version of Windows you’re running. Check your computer’s system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”
Another executable file with a random name is created in the same folder in Application Data. This file is executed with two parameters: WATCHDOGPROC, and the path to the first executable file.
Finally, a configuration file is created in the same folder, and the malware connects to a command and control server.
According to Bitdefender, Cybercriminals can command the Trojan to download other pieces of malware and eventually harvest confidential data, such as usernames, passwords and even banking credentials.
“The Trojan hides some of its encrypted data between biblical verses. The data is eventually decrypted with numbers generated by a mathematical processor,” Bitdefender Security Specialist Bianca Stanescu told SecurityWeek.
The largest number of infections have been spotted in Romania, Germany and Canada. However, infected computers are also located in the United States, the United Kingdom, France and Denmark.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
