Facebook Worm gets installed as Firefox/Chrome browser plugin to spread the infection and read user cookies. Below is the Spam message I received from one of the infected Facebook user.

Once you click on the above URL it takes you to a “random name.blogspot.com” where it says “Divx-Plugin Missing” and asks you to “Install Youtube Premium plugin” and press F5. Actually it doesn’t play any video, just reloads the page and activates the newly installed plugin.

Based on the browser used by you it downloads the Plugin. It targets Chrome and Firefox users. It has 2 different links in the <iframe  src=”http://betterfinace.com/de.php&#8221; – “betterfinace.com/youtube.crx” and  “betterfinace.com/youtube.xpi”

It prompts user to install the malicious plugin with Youtube as plugin name. Once plugin’s are installed it can take complete control of your browser.

If you are Chrome user you will be prompted with the below pop-up.

On exploring “youtube.xpi” I found a specific script “youtube.js”. It contains link to another java script hosted in the remote site “betterfinace.com/script.js”.

From “script.js” it contacts another script “extra.js”. This does the extra work it contains several functions from reading user cookies to sending SPAM content.

Below you can see the set of strings which are randomly grouped to form the spam description.
Below is the Spam message posted by this worm on one of the infected user wall. The Spam description, image and blogspot domains are randomly chosen.
When you click on this post it will ask you to share the post in order to play the video. Actually it does to spread the infection.
This worm is different from previous ones. It keeps browser control until you remove the installed plugin and reads your cookies.
Please follow the below instructions if you’re infected with this worm.
If you’re Firefox user go to Tools->Add-ons->Extension->Uninstall
If you’re Chrome user go to Tools->Extensions->Remove
Other similar malicious blogspot domains spreading this infection are as follows,
794eercdv.blogspot.com
air-rated.blogspot.com
boobslivetelevision.blogspot.com
broeosiieee.blogspot.com
cooltosee.info
craftywss.blogspot.com
ddmspoidjds.blogspot.com
droppedontv.blogspot.com
eqwtgggg.blogspot.com
fbhotcelebs.blogspot.com
fghcvndfhf.blogspot.com
foopeere.blogspot.com
fqvideos.blogspot.com
heuheueuiwwi.blogspot.com
i9bgr68.blogspot.com
jekjrehre.blogspot.com
jqiwuhhefdsfk.blogspot.com
kodiwodi.blogspot.com
kwerjwe.blogspot.com
leekjrwhe.blogspot.com
leihhrere.blogspot.com
lelikfieire.blogspot.com
lomevomena.blogspot.com
oplllkitre.blogspot.com
play-all-now.blogspot.com
plugin7th.blogspot.com
plugin8th.blogspot.com
premium-plugin.blogspot.com
presuueiee.blogspot.com
pshueheue.blogspot.com
qwertyasdf2.blogspot.com
ryu5gdtd.blogspot.com
sayshuew.blogspot.com
shockervids.weebly.com
sweiigehre.blogspot.com
toptone10.blogspot.com
toptone9.blogspot.com
ukhreza.blogspot.com
vppoyre.blogspot.com
watchthatblogdze.blogspot.com
woot-on-tv1.blogspot.com
worldofhasppy.blogspot.com
wowomglolya.blogspot.com
yikes-was-it-on-tv12.blogspot.com
yikes-was-it-on-tv20.blogspot.com
ytrutujghjg.blogspot.com
One more thing guys, this isn’t the only fb malware. There are hundreds of them out of the box. 
Tip: Dont visit any sites with above type of videos. If you have visited them by accident and installed the plugin, uninstall it as soon as possible using the above methods.
Advertisements