Get Smart about Business Spending
Koobface virus hits Facebook
This message could lead you to the Koobface virus, say security experts.
(Credit: McAfee Avert Labs)A worm responsible for sending Facebook users malicious code appears to be limited in nature, although the social engineering attack may be used again, say experts.
Facebook representative Barry Schnitt said the worm isn't new; it dates back to August, although the variant that first appeared on Wednesday targets only Facebook users.
Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites.
After receiving a message in their Facebook in-box announcing, "You look funny in this new video" or something similar, recipients are then invited to click on a provided link. Once on the video site, a message says an update of Flash is needed before the video can be displayed. The viewer is prompted to open a file called flash_player.exe.
A new mass-mailing virus targeting Facebook users directs victims to a site asking to download a Trojan masked as an Adobe Flash update.
(Credit: McAfee Avert Labs)Schmugar said the prompt for a new player should be a warning. "The messages you tend to get from these sites don't look quite right." For instance, IE will tell you where the update is coming from, and usually it's not an Adobe site.
If the viewer approves the Flash installation, Koobface attempts to download a program called tinyproxy.exe. This loads a proxy server called Security Accounts Manager (SamSs) the next time the computer boots up. Koobface then listens to traffic on TCP port 9090 and proxies all outgoing HTTP traffic. For example, a search performed on Google, Yahoo, MSN, or Live.com may be hijacked to other, lesser-known search sites.
Schmugar said this version of Koobface includes a bot-like component that could install other malicious apps at a later time.
Facebook's Schnitt said, "Only a very small percentage of Facebook users have been affected and we're working quickly to update our security systems to minimize any further impact, including resetting passwords on infected accounts, removing the spam messages, and coordinating with third parties to remove redirects to malicious content elsewhere on the Web."
Facebook has posted instructions on how to remove the infection.
McAfee's Schmugar said this attack is similar to e-mail attacks 10 years ago in that Koobface is using infected friends lists, reminiscent of early mass-mailing worms. As was the recommendation then, he advises users not to open any unexpected e-mail attachments, even if they are from someone you know.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
There is another one that goes to a random blog and the blog redirects from blogger.com or some other legit site to a site that infects the user with a virus and then PMs all of their friends on Facebook. I didn't fall for that one either.
I got the YouTube fake one, and I don't know how to get rid of it now?
Does anyone have any suggestions as to how to get rid of this?
3 of my family members are affected too, is there an online scanner that will
get rid of it? because my family doesn't know anything about computers
Please see the whole detail in my blog: http://ow.ly/jUcx
get HIjack this off the website, just google in Hijackthis and or use adaware (not adware). It is a free download from the Lavasoft company.
Hope you get it fixed.
none of them get rid of it!! I even have Panda Antivirus 2009 installed on my computer, and Panda didn't detect it either (shrugs) like what in the heck!!?? Anyone know how to get rid of this dang virus??????!!!
Thats the exact same one I got too, the one in that pic.... I've tried Mcafee, Symantec, Panda, none of 'em will even detect the virus, much of less delete it!! what the heck!!??? I mean I know I got the virus,
anyone know how to remove it!? please?
ExpertVirusRemov
BBC news tells of a manual way to get rid of it.
http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm
"Just go to your Windows directory and search for these two files: tmark2.dat and mstre6.exe.
Beyond this, the virus looks for Credit card info which it can get out of cookies from previous purchases so keep an eye out for suspicious purchases. We cleaned the computer within a half hour of infection but it had already gotten info from our computer and made two small purchases a couple days later to "fake" companies, one for $29 and another for $39. (so don't just think you are in the clear if you get it off your computer)
It can also get sensitive info that you type until the virus is removed so if you have gone to any banking sites since getting the virus be sure to keep an eye on that also.
I never thought I'd see these words roll off of my fingertips, but maybe you need to buy a Mac.
http://friendfeed.com/e/e7ca087f-fdae-4426-a1b6-ff3157af53f0/Another-Facebook-Virus/
People are looking for a way to fix the virus that was spread through facebook. Facebook says there are instructions on their website on how to remove the virus and fix your computer. That is apparently not the case. That is their misrepresentation. Other than the fact it was sent through Facebook, it isnt their fault. Other than the fact it is their fault, its not their fault is what you mean Do you understand that statement? So now they are attempting to make there site more secure so that it doesnt happen, maybe they could have already done that? What i want to know and everyone else that is infected, is HOW DO YOU REMOVE THE VIRUS THAT WAS SENT THROUGH FACEBOOK? Dont need a lesson on anything else. So thanks for the responsibility lesson, but you didnt help anything with your post. And btw, i have a mac, but my pc is infected.
Also, NO, it is NOT Facebook's fault. If you get an email with GMAIL that has a link to give you a virus, it is not Google's fault. If you get an IM from someone with a link to a bad site it is not AIM/MSN/Yahoo/etc's fault. It's like saying "I got something I don't like in my mailbox that the USPS delivered. It is all the USPS's fault."
Ok, ranting done...
I am working as a Desktop Support person for a company right now. To (attempt) to remove this boot to a WIndows PE disk if you can (I haven't tried it in Safe mode). Search the registry and hard drive for:
- tinyproxy.exe
- webmediaviewer
- bolivar28.exe.
Remove all instances of these. Tiny proxy tends to live in C:\Program Files\tinyproxy and webmediaviewer in C:\Program Files\WebMediaViewer. Make sure you get ALL of them. Go into Control Panel -> Internet Options -> Connections -> LAN Settings. Uncheck the boxes under Proxy Server.
This has been working for me right now. However, as time goes on, this virus and its payload will change and these steps will no longer solve the problem. There are no guarantees on this that it will work, but hopefully it will help some of you out there.
Also, you can try Googling for Autoruns. It is a Microsoft program that helps show everything that starts automatically with your computer. Use it at your own risk, but it is helpful for the more tech savy users out there. Try to remove suspicious stuff with it. If you see a *.dll that looks fishy with it, google the *.dll and see what it says. Usually a *.dll that doesn't show up in Google is one with a randomly generated name.
Another tip, I have noticed that a trend in naming conventions for randomly generated files. Most randomly generated, letter only names have a ratio of 4 consonants to 1 vowel. This is because there are 21 consonants and 5 vowels. Most words have a 1 to 1 or 2 to 1 ratio. However, some newer malware and spam has noticed this and started to perfectly alternate between consonants and vowels (1 to 1 ratio) to avoid making there randomly generated files obvious. So, strange names with a perfectly alternating consonants and vowels should be suspicious too.
That's all the help I've got for now. I'm off to go clean some more w32.Koobface.worm.
This worm is being spread to peoples Private Messages boxes in Facebook, that is how I got it.
I didn't get it thru email. I got it thru a private message my BROTHER sent me in my facebook account
under my private message inbox. I wouldn't have clicked on it, except, I thought it was a picture of my
brother and his wife with their new baby girl... You would have done the SAME thing sir.
Tom
How do you even know what my boyfriend "fell for" exactly? ? ?
I hope someday you need some help figuring out your taxes; the IRS is racking up fees every day until you figure out which little number you put in wrong, and you are drowning in a sea of old receipts and paperwork. . . . . you call your accountant for help and he/she laughs at you and calls you an idiot for not keeping everything properly filed, input, and organized. Then your CPA says, "Use some common sense, quit your job because you are too stupid to report income correctly, and check yourself into some form of sensitivy seminar." Everyone makes mistakes sometimes; the next time you do, when someone is laughing in your face or spitting on you I hope you remember how "helpful" you were to a complete stranger.
How do you even know what my boyfriend "fell for" exactly? ? ?
or DOES it...?
Seriously though, who wants to create a virus for an OS that only has 0.83% of the global market share?! With Windows hovering just below 90% of the market share it only makes sense that people devote time to expose its vulnerabilities.
I would've to win the fame, $3000 computer, $10,000 cash prize, and probably a future job, in the pwn to own contest that happened about 6 months ago...
- by Benlofton December 7, 2008 9:22 PM PST
- Viruses. Viruses. Viruses. You just can't work on a pc anymore even in a safe place like facebook. I don't think this virus will be able to infect a mac just saying.
- Like this Reply to this comment
-
Showing 1 of 2 pages (44 Comments)