JS_SPAMVIR.SMDA

This malware is a JavaScript component of a Facebook Clickjacking campaign.

It posts a news share on the affected user's Facebook profile about a fake scandal of a Hollywood actress. The post may contain any of the following text which this malware chooses randomly:

• "OMG look this video"

• "Hey look at this"

• "Have you seen this"

• "OMG check this out"

This Trojan may be downloaded from remote sites by other malware.

Arrival Details

This Trojan may be downloaded from remote site(s) by the following malware:

• JS_SPAMVIR.SMD

It may be downloaded from the following remote sites:

• http://{BLOCKED}cripts.it/divx2/function.js
• http://{BLOCKED}cripts.it/divx2/page.js

NOTES:

This malware is a JavaScript component of a Facebook Clickjacking campaign.

It posts a news share on the affected user's Facebook profile about a fake scandal of a Hollywood actress. The post may contain any of the following text which this malware chooses randomly:

• "OMG look this video"
• "Hey look at this"
• "Have you seen this"
• "OMG check this out"

The news share may then point to any of the following sites, which are also randomly chosen by the malware:

• http://{BLOCKED}ver.blogspot.it/
• http://{BLOCKED}ver.blogspot.fr/
• chttp://{BLOCKED}ever.blogspot.jp/
• http://{BLOCKED}vver.blogspot.ca/
• http://{BLOCKED}vver.blogspot.in/
• http://{BLOCKED}vver.blogspot.co.nz/
• http://{BLOCKED}vver.blogspot.com.es/
• http://{BLOCKED}vver.blogspot.com/
• http://{BLOCKED}vver.blogspot.co.uk/
• http://{BLOCKED}vver.blogspot.de/
• http://{BLOCKED}vver.blogspot.com.ar/

It makes the affected user inadvertently like the following fan page:

• http://www.facebook.com/{BLOCKED}wwhatfy?/7416876132874

This malicious script may also lead the user to the following URL:

• http://{BLOCKED}helife.info/divx2/watch.php?extra - leads to a fake video streaming site