Facebook worm still spreading
Early in August, security firms noticed a worm spreading on Facebook through wall posts, claiming to contain a video requiring a new codec to be installed. Variants of this worm are now being spotted on a weekly basis.
The virus appears to be a slightly modified version of what Kaspersky Labs called Koobface; a worm elaborate in its design, but crude in execution.
Utilizing the same poorly worded social engineering tricks, the worm sends messages in Facebook with subject lines like "Hi My Friend," or "Hej!" and contains a verbose link to a video that claims to feature the recipient in some way. Instead of loading a video, it says the user's version of Flash is out of date and needs a new codec. Attempting to click on any part of the video player, including the sender's profile information, the fake comments, or settings, results in a forced download.
Up to this point where the user downloads the file entitled "codecsetup.exe", the worm's methods are exactly the same. Once the "codec" file is opened, it creates a file called "fbtre9.exe", different from the Koobface.A profile, which created a file called "mstre6.exe." This appears to be the sole difference between the two, and the twelfth time the virus has mutated in such a way (there are currently 27 different Koobface infections).
When the file is run for the first time, it generates an error message and begins looking for Facebook user ID cookies. If found, the results are intended to be reproduced every time the user turns on his computer.
During the inital spread of "Koobface," Facebook's head of security Max Kelly wrote in the official blog that "Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware."
At least for BetaNews, which purposefully installed the koobface virus on a virtual machine, this statement is untrue; we were neither notified nor were we informed on corrective measures. However, the message which carried the virus disappeared promptly after obtaining the necessary files. Some have attributed this to either Facebook's diligent users or staff, but this is yet unconfirmed.
