We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www.facebook.com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www.facebook.com” and uses the extension “.COM”.
Once executed, this malware (detected as WORM_STEKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STEKCT.EVL also connects to specific websites to send and receive information.
Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.
Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites. To know more on how you can prevent these threats targeting Facebook and other social media sites, you may read our comprehensive e-guide A Guide to Threats on Social Media.
Furthermore, with our recent partnership with Facebook, Trend Micro™ protects users via Smart Protection Network™, which blocks access to the related malicious link. The file reputation technology in Smart Protection Network™ detects and deletes both WORM_STEKCT.EVL and WORM_EBOOM.AC.