The Latest in IT Security

Febipos for Internet Explorer


In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users.  We recently came across a new Febipos sample that was specifically developed for Internet Explorer – we detect it as Trojan:Win32/Febipos.B!dll.

This trojan is a browser helper object that loads a JavaScript to Internet Explorer. We detect the loaded JavaScript as Trojan:JS/Febipos.E. The plugin tries to look legitimate by calling itself MicrosoftSecurityPlugin when viewed in Internet Explorer add-ons.

Internet Explorer add-ons 

Figure 1: The plugin tries to look legitimate in Internet Explorer add-ons

Spamming links on Facebook

When installed and loaded successfully Trojan:Win32/Febipos.B!dll will attempt to load a configuration file that it downloads from<removed>.php. It can then access a logged in Facebook account to:

  • Like a page
  • Share
  • Post
  • Join a group
  • Invite friends to a group
  • Chat with your friends
  • Comment on a post

We have seen it post the following messages in Portuguese on the wall of a logged in Facebook account. It can also tag several of the affected user’s friends:

  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google! Acho que vale a pena
    I found a video on Youtube teaching how to earn $$ on the Internet through Google! I think it’s worth it.
  • Nem eu acredito, mas é verdade.
    Even I don’t believe it, but it’s true.
  • Dificuldades para PERDER PESO? Com ULTRA SLIM você emagrece sem sofrer!
    Struggling to lose weight? With ULTRA SLIM you lose weight without suffering!
    Lose weight, gain in health and self-steem. It’s only up to you.
  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google!
    I found a video on Youtube teaching how to earn $$ on the Internet through Google!
  • Oportunidade: Google paga R$160 por hora para trabalhar em Casa!
    Opportunity: Google pays R$ 160 per hour to work from home!
  • Ganhe R$15.000 por mês trabalhando em Casa na Internet. Acesse o Link e saiba como!
    Earn R$15,000 per month working from home on the Internet. Click on the link and find out how!

One of the following URLs is also included in the message:


It may also use one of the following images:

An image used by Trojan:Win32/Febipos.B!dll Another image used by Trojan:Win32/Febipos.B!dll

Figure 2: An example of the images used by Trojan:Win32/Febipos.B!dll in Facebook spam

Here is an example of the Facebook post: 

An example Trojan:Win32/Febipos.B!dll Facebook post

Figure 3: An example Trojan:Win32/Febipos.B!dll Facebook post

When someone clicks on the link in the message, they are redirected to<removed>/v294v294e4p233r224w2t254/. This site will then redirect again to one of the following URLs:



We have seen Trojan:Win32/Febipos.B!dll being dropped and loaded by Trojan:Win32/Febipos.B with the path and filename %appdata%\WService.dll. It is loaded using the legitimate Windows application named regsvr32.exe. This application is used to register dynamic-link libraries and ActiveX controls in the registry.

The trojan creates the following registry entries to register itself as a browser helper object:

  • HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    (default) = “MicrosoftSecurityPlugin”
  • HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\InProcServer32
    (default) = “%appdata%\WService.dll”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    (default) = “MicrosoftSecurityPlugin”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\InProcServer32
    (default) = “%appdata%\WService.dll”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}

It will also create the following registry entry to ensure it is only loaded in Internet Explorer and not in Windows Explorer:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    NoExplorer = dword:00000001

The following registries entries are also created to disable some Internet Explorer notifications:

  • This will disable the IE notification to the user that the add-on is ready to use
    IgnoreFrameApprovalCheck = dword:00000001
  • This will disable the add-on performance IE notifications
    DisableAddonLoadTimePerformanceNotifications = dword:00000001

All of the above information was found at the time of our analysis; however, these websites can change at any time. In any case, we always recommend you keep your security products up-to-date with the latest definitions to help reduce your change of infection.

Jonathan San Jose


5cbd9c1e870b09fdd4b67e7610acbea8dddee9bd – Trojan:Win32/Febipos.B
361546e95a79b96a15e15ab82b1849f68b7381b2 – Trojan:Win32/Febipos.B!dll
bad556fb373e14f7041b3361ca450b2156a5ecda – Trojan:JS/Febipos.E

Leave a reply


FRIDAY, APRIL 19, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments