Get-Styles Facebook Malware | Joachim De Zutter
Uses NTFS Alternate Data Streams to hide the file C:\Users\User\AppData\LocalLow\Microcoft\redir.dll behind C:\Users\User\Downloads\GetStyles.exe
(notice that the name is Microcoft instead of Microsoft)
Filesize: 221184
MD5: 91e4fa9d47cf7e93884060fe13f037ba
SHA1: 5dd0766b0e08d776707ac5f2eacba723bd27e155
SHA256: 15219aea032eb1b078c604701a2cb75e138d47bd21ce512d1ddd762ccab46125
Binary language: Russian

AVG identified both files as trojan horse Generic19.PVN

ADS Scanner
http://www.pointstone.com/products/ADS-Scanner/

The Get-Styles facebook malware hijacks the text/html filter using CLSID {574940E0-1B7A-4881-8FA3-1E809714B156} (detectable with Hijackthis):

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\redir.RFilter
HKEY_CLASSES_ROOT\redir.RFilter.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{574940E0-1B7A-4881-8FA3-1E809714B156}\VersionIndependentProgID

The DLL contains the URL http://rainbfg.info/download/agrfgon.js (IP 212.59.118.178)
http://www.utrace.de/?query=212.59.118.178
Eurasia Telecom Ltd.
IO-HOSTS Ltd.

-bash-3.1$ wget http://rainbfg.info/download/agrfgon.js
--2010-09-23 14:16:42--  http://rainbfg.info/download/agrfgon.js
Resolving rainbfg.info... 212.59.118.178
Connecting to rainbfg.info|212.59.118.178|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18045 (18K) [application/x-javascript]
Saving to: `agrfgon.js'

100%[======================================>] 18,045      --.-K/s   in 
0.1s

2010-09-23 14:16:42 (119 KB/s) - `agrfgon.js' saved [18045/18045]

-bash-3.1$ wget http://212.59.118.178/download/agrfgon.js
--2010-09-23 14:18:03--  http://212.59.118.178/download/agrfgon.js
Connecting to 212.59.118.178:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2010-09-23 14:18:03 ERROR 404: Not Found.