How to remove “Nice picture” backdoor

February 6, 2011 on 5:31 pm | In Malware analysis | No Comments

Today I was rudely disturbed when one of my Facebook friends sent me two of the exact same messages in a short period of time. As I am not the type that clicks on anything and it was suspicious that this friend would send me a message in English, I did some research first.
These are the messages she sent me:


It turned out the link led to a message that the picture had been moved, but meanwhile a file was being downloaded.
I carefully downloaded the file to my VM and ran it to see what would happen. A short while after running the file, browser windows opened and connected to myspace and facebook.
That was suspicious enough, so I put the scan through an online scanner Jotti’s malware scan and ran our own scanner MBAM.

On Jotti only Ikarus recognized the file as Trojan.Win32.Llac and MBAM came up with a heuristic detection as Malware.Trace
So I alerted our Assistant Director of Research and sent her a sample.

A few hours later MBAM had full detection. You can read how to remove this backdoor on our forums . You can also get help there should you need it.

And note that the full version of Malwarebytes’ Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Pieter Arntz

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^