General News
Exploit Kits
Antivirus Reviews
Network Defense
Phishing Scams
Virus Alerts
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes
Antivirus Support

Network Security
General Security
Current Threats
Firewalls and Routers
Intrusion Detection
Web Proxies
Vulnerability Assessment
Quick Resources
About Antisource
Malware Threats Triangle
What is my IP?

Whhat a shame,, you got so busted!!

Saturday, February 28, 2009
Author: Richard S. Westmoreland
Permalink: facebook-yuotube-koobface
General News
Printer-Friendly Version Author's Profile

Today I received an odd message in Facebook. It came from a friend of mine and sent to many people at once. It was littered with spelling and grammar mistakes, with a link to some obscure youtube lookalike. But it is not youtube.

Subject: Hallo.

Whhat a shame,, you got so busted!!

(I have removed the domain so people don't accidentally click the link)

That was it. If you click it, you're brought to a page that looks like this:

Except that it will use the name of the Facebook member that allegedly sent you the message, along with their profile picture. You'll notice that on this fake page the title is misspelled with YuoTube :: Broadcast Yourself :: Video post by (FB member name).

The page is hosted on a server with IP address, which is registered to the Czech Republic. For any admins that allow Facebook access at their company, I advise blocking this IP address on the firewall.

You are required to install "Adobe Flash Player 10.37". If you click anywhere on the page, you are then prompted to download setup.exe from the site. It is exactly 30,720 bytes in size - its MD5 hash is 3b0c0c5ace8390f6160471ef8012863c. I uploaded this to VirusTotal, and as of right now the antivirus vendors detect it as:

eSafe: Suspicious File
F-Secure: Suspicious:W32/Malware!Gemini
Artemis: Generic!Artemis
Microsoft: Worm:Win32/Koobface.I
NOD32: a variant of Win32/Koobface.NAO
Panda: Suspicious file
Sophos: W32/Koobfa-Gen
Symantec: Suspicious.MH690.A
TrendMicro: PAK_Generic.001

This is a worm that is spread by social engineering with social networking sites, such as Facebook and Myspace. More info about the worm itself can be found here:

Read the full article at Whhat a shame,, you got so busted!!

Comment about Whhat a shame,, you got so busted!! | 0 comments |

The following comments are owned by whomever posted them. This site is not responsible for what they say.