I have received two virus emails from two unrelated friends, indicating their accounts have been compromised. The messages are being sent through Facebook and both have had a spammy sounding subject line and a link to a geocities website. This was suspicious enough, but the fact that one message came from a friend I haven’t spoken to much in a year made it even more so.

The first virus email subject was “RE: You were caught on our secret camera!” and the second was “RE: You have a great hair cut in this movie” . The geocities addresses they pointed to were for user’s reedgates21 and richiemack11. I’ve googled both addresses and gotten no results, so my guess is that they are randomly generating geocities accounts and generating these emails. A co-worker just one too – variation on a theme. Subject is “Don’t cry! Your mom will never see this movie”, also pointing to geocities, user name rkssbcyzk. Another one, “I’m not kidding I just saw your pics all over a site address swimcaw” has come through as a wall post.

The links in the Facebook messages point to websites that contain viruses. Do NOT click on them.

Below are some examples of what they look like. (These are just images, so you can click on them for larger versions to see how the messages come into your inbox.)

Screenshot 1

Screenshot 2

Screenshot 2

Screenshot 3

If you’re using Firefox, your browser should warn you that you’re about to try to access a page that has been linked to virus/malware when you click on the Facebook messages in question, but if you’re using an older version of IE (shame on you!), you may not get any warning at all.

When You Receive a Virus Email

  1. DO NOT CLICK ON THE LINK
  2. Send an e-mail (or call) the sender, letting them know they are likely infected with a virus
  3. Suggest to the friend that they change their password from another, uninfected computer, and follow the steps further down in this article to remove the virus. (The method they use will depend on which virus they’ve been infected with.)
  4. Once the virus is cleared from the sender’s system, suggest they install a free anti-keylogger program and switching to Firefox just to be safe

Ultimately, its like anything else – common sense will go a long way. If the email seems odd (for example, the fact that the subjects sometimes start with “RE:”, as if they were replies to a message you sent, but you never sent a message with that subject), the phrasing seems off or not something your friend would actually say, something is probably awry. If you’re unsure, contact the friend directly and ask if they sent it to you.

This has been happening a lot lately, and the scenario Tech Crunch describes in this article sounds a lot like what’s happening here.

Keep in mind… Facebook applications do NOT have access to your password, so unless you installed an application that “required you” to download an executable application (any kind of .exe, .msi, etc), your Facebook applications should NOT be the cause. (Being an application developer, I can say that I couldn’t steal someone’s password even if I wanted to, using their API. HOWEVER there have been several reports of phony applications and groups that require some sort of download in order to get the full experience (Secret Crush was one of them).

NO application or group should EVER require you to download and install anything. If they do, report them to the social network immediately.

Also keep in mind that these viruses are not limited to Facebook users. I’m more familiar with the Facebook scenario because I avoid MySpace like the plague, but every time I login there are spammy and/or virus-y emails awaiting me. This isn’t as much a flaw in the Facebook platform as a result of social networks still being young and going through some growing pains. MySpace has just as much of a problem with these issues, if not moreso, since they have been historically less concerned about user experience and safety.

Another Variation – Fake YouTube Links

Another variation of the viruses being sent around Facebook is a similar message to users suggesting they are appearing in a YouTube video and providing the supposed link to view it. Instead of actually seeing a video, the virus advises viewers they need to download an updated version of Flash, which if followed may install a virus into the user’s computer. More info on that version, including sample messages and screenshots, is available here.

Why Its Working

If you find yourself infected, don’t be too hard on yourself. People have become so used to receiving emails from Facebook asking them to confirm this or that that it could be argued that people are more prone to click on a link that looks like it came from Facebook without being as diligent as we would be if we weren’t used to preforming this same action 10 times a day for legitimate Facebook actions. For example, most users of Facebook are familiar with the “Joe has added you as a friend on Facebook€¦” stock email.

Some users are conditioned to follow this process whenever they receive an email of this sort. Some people can receive this email several times every day and perform this login procedure so often it becomes automatic. This simple, clean design is very easy for a phisher to mimic. Since users are conditioned to follow this process blindly, they might not notice that the email is spoofed or that the address bar is slightly incorrect. This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions.

If You Clicked on the Link And Your Computer is Infected

I spent some time trolling Facebook’s forums to see if anyone had any specific direction on how to remove this virus from an infected machine. I found a few possible solutions, although since the people posting didn’t know or didn’t mention the name of the specific virus they were infected with, it may take some trial and error to find the solution that works best for you.

If your virus detection software determines that you’re infected with Bolivar23.exe, you can click here for directions on how to remove it.

In early August, there was a different one going around, called Koobface. Kaspersky’s website writes:

Net-Worm.Win32.Koobface.a spreads when a user accesses his/ her MySpace account. The worm creates a range of commentaries to friends’ accounts. Net-Worm.Win32.Koobface.b, which targets Facebook users, creates spam messages and sends them to the infected users’ friends via the Facebook site. The messages and comments include texts such as:
  • Paris Hilton Tosses Dwarf On The Street
  • Examiners Caught Downloading Grades From The Internet
  • Hello
  • You must see it!!! LOL. My friend catched you on hidden cam;
  • Is it really celebrity? Funny Moments and many others.
  • Yoou’re so prettty goood on thiis viddeo.
Messages and comments on MySpace and Facebook include links to youtube.[skip].pl. If the user clicks on this link, s/he is redirected to a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying the user needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codesetup.exe is downloaded to the victim’s machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa. [more]

One confirmed method of removing this virus is by downloading MalwareBytes – for some at the time, it seemed to be the only out of the box software that was able to remove it.

Still another that was around this time, Troj/Dloadr-BPL Trojan horse, was reported on by Sophos:

Messages left on Facebook users’ walls are urging members to view a video (which pretends to be hosted on a Google website), but clicking on the link and visiting the webpage takes users to a site which urges them to download an executable to watch the movie.

Sophos detects the executable file as the Troj/Dloadr-BPL Trojan horse, which in turn downloads further malicious code (detected as Troj/Agent-HJX), and displays an innocent image of a court jester sticking his tongue out. [more]

In Conclusion

This isn’t the first wave of social network viruses, nor will it be the last. There isn’t one social network that is more prone to them than others. As we allow social networks to become a bigger part of how we communicate, we must simply remain cautious and avoid the temptation to become complacent. Pay attention to the links you click on that are sent through Facebook, the same way you pay attention to suspicious e-mails that come in through normal e-mail.

Advertisement

Themeforest
ssd-virtual-servers-banner-468x60
Original image
Previous post

Photo Retouching - How to Salvage a Dark Digital Photo

Next post

No, No - Let Me Google That For You

snipe

snipe

I’m a tech geek/dev/infosec-nerd/scuba diver/blacksmith/sword-fighter/crime fighter/ENTP/warcrafter/activist. I'm the CTO at Mass Mosaic and the CEO of Grokability, Inc. in San Diego, CA. Tweet at me @snipeyhead or read more...

  • philg

    I figured the suspicious message I received from someone on facebook who I haven’t talked to in a long time was malware. I goggled the title of the email (You were caught on our secret camera!) and your blog came up. Nice post, people like you are helping the Internet become a better place.

  • I figured the suspicious message I received from someone on facebook who I haven’t talked to in a long time was malware. I goggled the title of the email (You were caught on our secret camera!) and your blog came up. Nice post, people like you are helping the Internet become a better place.

  • Thanks for the kind words, Philg! The way you found the site was exactly the way I was hoping people would, which is why I was sure to use the actual subjects of the emails. I’ll be adding more as I come across them, so more people might find the answers they need. And two points to you for checking before clicking!

  • Thanks for the kind words, Philg! The way you found the site was exactly the way I was hoping people would, which is why I was sure to use the actual subjects of the emails. I’ll be adding more as I come across them, so more people might find the answers they need. And two points to you for checking before clicking!

  • I received a couple today and am thankful I use a Mac.

  • I received a couple today and am thankful I use a Mac.

  • Allen Grinberg

    I got the Facebook virus when a “Friend” sent me a message and I double clicked on the link. Lo and behold 700+ friends are now infected. The bigger problem is that the website or the virus doesn’t allow you to SEND messages once you have the virus. So in essence you can’t even tell people about it. NOT good.

  • Allen Grinberg

    I got the Facebook virus when a “Friend” sent me a message and I double clicked on the link. Lo and behold 700+ friends are now infected. The bigger problem is that the website or the virus doesn’t allow you to SEND messages once you have the virus. So in essence you can’t even tell people about it. NOT good.

  • Laura

    @Allen – you can still use your status update to alert folks, and you can post a note on your wall, too. One of my savvier friends commented with a link to this page. (Thank goodness for smart friends.)

    Thanks, Snipe, for putting all this info up!

  • Laura

    @Allen – you can still use your status update to alert folks, and you can post a note on your wall, too. One of my savvier friends commented with a link to this page. (Thank goodness for smart friends.)

    Thanks, Snipe, for putting all this info up!

  • Excellent suggestion, Laura – that was what I had advised my infected friends to do as well. 🙂

  • Excellent suggestion, Laura – that was what I had advised my infected friends to do as well. 🙂

  • @HarlemWriter Actually had someone’s computer send it to me; looked to suspicious then chked it out. More info: http://is.gd/ahXj

  • patrick

    i just got the exact same message as the one on the screen shot and my protection software (kaspersky) told me that access tho the website was denied due to the fact that it contained a virus….. i would recommend Kaspersky to anyone with virus problems havent had any problems yet

  • patrick

    i just got the exact same message as the one on the screen shot and my protection software (kaspersky) told me that access tho the website was denied due to the fact that it contained a virus….. i would recommend Kaspersky to anyone with virus problems havent had any problems yet

  • Nathalie

    Hi – can anyone help me? I got exactly this virus through a videolink sent to me on my Facebook wall – leading to You Tube. The friend who wasn't aware of the virs removed it immediately and so did I. We both cleaned our computers. However, since a few months I recieve the same message describe above:
    Subject: hi – “Hollly shhit! You are on hiidden camera!! and so on…
    and my Norton AV detected these emails as “Net-Worm.Win32.Koobface.b” or Trojan virus (Trojan.Piedief.C or “Backdoor Trojan” or “Trojan Pandex”) or “Downloader.Ergrun” or “Packed Generic.261”. I still receive them but they are automatically detected and removed by Norton AV.
    My BIG PROBLEM now: I CAN NOT LOG INTO MY FACEBOOK ACCOUNTANYMORE…
    Facebook has sent me two new passwords, but the login system doesn't accept them. My page is still there, friends can see it, and it hasn't been disabled. However, I can't access my page myself!. I believe that Facebook doesn't recognize my email anymore. What to do? I am desperate – please help!!!! Nathalie

  • Bella

    Thanks for the info! My previous computer was infected with some sort of virus through MSN Messenger (I'm not computer savvy) and it's inrepairable now. I got this in the form of “You weere caughtt on our hiddenn cammera!” on Facebook and was immediately suspicious. Now I know what's going on, so thank you! I do have one question, though, as previously stated, I don't know much about computers. The computer is only infected when you download the executable, but not through the message, correct? Thanks again!

  • Scottie D 4/20

    thanks keep up the good work, why people make viruses is beyond me, i want to enjoy the web safely

  • Shey

    Thank you so much for the info. I got a suspicious looking email on myspace that I didn't click on thanks to your post. BTW this is what it said:
    WOW
    SSweet! Yourr bbody loooks greaat on thiss viddeo!
    and the last line was a link to an external link outside myspace: http://bit.ly/8Tv2Sn I didn't click on it or go to it so I'm not sure if it a virus link but either way thanks a million & keep up the good work!

  • Thank you for your e-mail. I will be out of the office from Monday, November 30 until Friday, December 4 with limited access to e-mail and voicemail.

    I apologize for any inconvenience and will get back to you as soon as possible once I return.

    – Alison

  • Shey

    Thank you so much for the info. I got a suspicious looking email on myspace that I didn't click on thanks to your post. BTW this is what it said:
    WOW
    SSweet! Yourr bbody loooks greaat on thiss viddeo!
    and the last line was a link to an external link outside myspace: http://bit.ly/8Tv2Sn I didn't click on it or go to it so I'm not sure if it a virus link but either way thanks a million & keep up the good work!

  • MurielBrand2

    My business partners were wanting TX TDI T-47 some time ago and learned about a document management site with a searchable forms database . If others have been needing TX TDI T-47 too , here’s http://goo.gl/61BtU8