Whhat a shame,, you got so busted!!

Today I received an odd message in Facebook. It came from a friend of mine and sent to many people at once. It was littered with spelling and grammar mistakes, with a link to some obscure youtube lookalike. But it is not youtube.

Subject: Hallo.
Message:

Whhat a shame,, you got so busted!!
http://somefakedomaindotcom/cr/?b9aa2cch=n603213861

(I have removed the domain so people don't accidentally click the link)

That was it. If you click it, you're brought to a page that looks like this:



Except that it will use the name of the Facebook member that allegedly sent you the message, along with their profile picture. You'll notice that on this fake page the title is misspelled with YuoTube :: Broadcast Yourself :: Video post by (FB member name).

The page is hosted on a server with IP address 94.112.62.161, which is registered to the Czech Republic. For any admins that allow Facebook access at their company, I advise blocking this IP address on the firewall.

You are required to install "Adobe Flash Player 10.37". If you click anywhere on the page, you are then prompted to download setup.exe from the site. It is exactly 30,720 bytes in size - its MD5 hash is 3b0c0c5ace8390f6160471ef8012863c. I uploaded this to VirusTotal, and as of right now the antivirus vendors detect it as:

eSafe: Suspicious File
F-Secure: Suspicious:W32/Malware!Gemini
Kaspersky: Net-Worm.Win32.Koobface.es
Artemis: Generic!Artemis
Microsoft: Worm:Win32/Koobface.I
NOD32: a variant of Win32/Koobface.NAO
Panda: Suspicious file
Sophos: W32/Koobfa-Gen
Symantec: Suspicious.MH690.A
TrendMicro: PAK_Generic.001

This is a worm that is spread by social engineering with social networking sites, such as Facebook and Myspace. More info about the worm itself can be found here:

http://www.kaspersky.com/news?id=207575670