Welcome Guest! To enable all features please try to register or login.
Share
Options
Go to last post Go to first unread
Offline Dr-Hack  
#1 Posted : Saturday, January 25, 2014 11:11:52 AM(UTC)
Dr-Hack


Rank: Administrator
Reputation:
Medals: Hackology Founder: This medal is earned by the Founders of Hackogy

Joined: 1/15/2005(UTC)
Posts: 1,318

Thanks: 22 times
Was thanked: 73 time(s) in 57 post(s)

Although this is a Facebook SPAM but it infects a Certain Flash module that is why i am posting it in Virus Section and not in "Social Networking" Category.


BackGround of the Facebook Spam/Virus
Friends get a notification that you are tagged in a certain Photo. When they click that Notification they see the Following Image


spam_photo.jpg @ Userbar | Free Image Hosting
With a Caption telling them to follow these 4 steps to get the passwod of any Facebook Friend you want as shown in step 5. The Important step is Step 4 , where they give a link to a Script which needs to be installed. Thanks to Chrome Inspect Element everyone can inject anysort of codes without asking for 3rd party web building softwares. This is the Script which the Malicious user asks Other to Paste in Step 4 : Read on Secure Paste .


Effects of Facebook Virus
Once you are infected, the Following will be Happening:
1. You will be be Tagging all your Friends in a post like this


tagging_friends_in_facebook.png @ Userbar | Free Image Hosting


2. Your account might also send Messages to all your Friends without your Approval
spam_auto_send.jpg @ Userbar | Free Image Hosting
3. The above Keeps going on and on.


How to Stop this Facebook Spam / Virus
1. Uninstall Chrome because it also installs some Chrome Extensions which you can check by opening "chrome://extensions/" in your browser and Remove any strange Extension you Notice , but i still suggest to Uninstall Chrome at this Step.
2. Get a Good Antivirus to do a Full Scan , if you are infected I can tell that your current AV failed so try Microsoft Security Essentials I have seen it to work in this scenario so use it.


av_results.jpg @ Userbar | Free Image Hosting


3. Also Check you Facebook Apps for any Strange Application, I covered that In This Post with great Detail
4. Once you are Clean you can Install back Chrome and Hope that you are Clean.


What all This Facebook Spam / Virus Infects in the BackGround.
Although I have limited user data till now so I can come to few conclusions if you have more information please share with us so it might help everyone else aswell. One AV Result tells us about a Registry being infected against Adobe Flash.
Category: Trojan


Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items: 
file:C:\Users\xxx\AppData\Roaming\Adobe\Flash Player\File Cache\hddef.bat
process: pid:3020
regkey:[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\HDDefrag
runkey:[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\HDDefrag

In Some Cases I saw the following :
Category: Adware
Description: This program delivers potentially unwanted advertisements to your computer.
Recommended action: Permit this detected item only if you trust the program or the software publisher.
Items: 
containerfile:C:\Program Files\bettersurf\BetterSurfPlus\ch\BetterSurfPlus.crx
file:C:\Program Files\bettersurf\BetterSurfPlus\ch\BetterSurfPlus.crx
file:C:\Program Files\bettersurf\BetterSurfPlus\ch\BetterSurfPlus.crx->BetterSrf.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome.manifest
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\better-surf.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\firefox.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\icons\default\star1_32.png
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\icons\Thumbs.db
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\overlay.xul
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\amiextension.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\amihelper.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\amilocal.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\chaddon.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\chback.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\ffaddon.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\hostutils.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\ieaddon.js
file:C:\Program Files\bettersurf\BetterSurfPlus\ff\install.rdf
file:C:\Program Files\bettersurf\BetterSurfPlus\uninstall.exe
folder:C:\Program Files\bettersurf\
folder:C:\Program Files\bettersurf\BetterSurfPlus\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ch\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ff\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\icons\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\icons\default\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ff\chrome\content\utils\
folder:C:\Program Files\bettersurf\BetterSurfPlus\ie\
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Better Surf Plus
uninstall:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Better Surf Plus


 


So BetterSurfPlus is one Cause of the Malicious Chrome and FireFox Exploits , I couldn't get my hands on the CRX File so i could assess more information on this therefore i cant say what all was done by the Chrome Extension. The Main Cause was the Comie.A and Napolar.A .


How to Stay Safe from Such Spam and Virus 
See This Post  in which I covered the basics of staying Safe - in short anything that Appears to good to be True is Fake Smile
Stay Safe Play Smart, Sharing is Caring.

UserPostedImage
thanks 1 user thanked Dr-Hack for this useful post.
Sponsor
Rss Feed  Atom Feed
Users browsing this topic
Guest
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Notification

Icon
Error