Facebook/Myspace virus

I got an email message generated from a Facebook virus - that had a link to video on YouTube. I clicked on the link that then dialogued I needed to click a link to download a plug-in to play the video. Firefox showed the file was downloaded, but when I tried to run the program, nothing happened. I downloaded it a second time with the same result. So I suspected it was a plugin that wouldn’t work with Foxfire.

When I saw an article in a newspaper on August 8th warning of a virus on Facebook and Myspace that created email messages ostensibly from users “Friends”, I checked my “Recent Downloads” on my Foxfire browser and then opened Windows Explorer (My Computer on XP). I found 2 executable files under Windows/Prefetch - “CODECSETUP.EXE [numeric string].pf” and the same file name with a different numberic string in the file name. I suspect these are the two files I downloaded from the erroneous email links. When I open Control Panel and look at Add/Remove Programs, I don’t see anything I don’t recognize as a genuine program.

I’m running today’s avast! virus update that hasn’t detected anything. I’ve had no warning from anything about these files.

What to do?

Thanks, Mark

try and submit them to Alwil team for analysis and possibly manually add them to the virus chest if you can

I suggest:

  1. Disable System Restore and then reenable it again.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Take a look at this article. It appears to be a net worm called Koobface.

hi,

I would like to know if avast! identify this virus. (Net-Worm.Win32.Koobface.b)

Please note that kaspersky and symantec got it already in there database

http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=2

Thanks

it would be great if someone could perhaps bring this to the attention of Alwil, but then again maybe they are already aware of it, cant be too sure these days with all these new malware strains coming out and with malware being called many names (aliases) by various anti-malware companies it can get quite confusing ??? ???

Avast! didn’t alert me to the Koobface virus I downloaded from Facebook - even though I get daily automatic downloads of virus updates from avast! everytime I log on - and I don’t “live” on Facebook - in fact, I log into my Facebook account after the avast! update is installed. But when I followed the above steps and did a complete scan, it did identify it. I suspect CP, the Canadian national news service like AP in the US, and even my local newspaper, knew about the Facebook virus before avast! did, which disappoints me. Now I’m going through the above multiple step process, with a dialup internet connection, trying to clean up the mess! A month ago this had been a new virus/worm/malware free computer that I thought had been protected by avast!

Thanks for nothing avast! You let me down. >:(

Thanks for nothing avast! You let me down.
If you go clicking on anything then you are at risk of being infected with the latest malware that the prolific malware purveyors are wont to create without investigation then I guess you should give up the Internet and look for safer endeavors.

Google Results 1 - 10 of about 61,400 for Koobface:

Your statement is unfairly sarcastic - and unrealistic. You don’t trust an email from a sister with a link to a Flashplayer update download? Check out the Kaspersky article linked to above for a fairer explanation:

"Unfortunately, users are very trusting of messages left by ‘friends’ on social networking sites. So the likelihood of a user clicking on a link like this is very high”, says Alexander Gostev, Senior Virus Analyst at Kaspersky Lab. “

Blaming me is no better than blaming the victim. An easy dismissive reaction for you but is unsympathetic and not helpful.

In the meantime, I’m out of FaceBook - the only “social networking” site I’ve been on - and even then, for about a month.

Mark

I don’t trust any email/message etc. as it is too easy to fake who it is from and I never open attachments or click links in ‘unsolicited’ emails/messages even ones purporting to come from friends/family, etc. The social networking sites are rife for this type of malware infection as it is easy to find who is in your circle of friends and use their name to lull you into a false sense of security.

Always check, there are plenty of link checkers out there or ask the supposed originator of the email/message, if they sent it, etc. There is also Firefox, which have the following add-ons, NoScript that blocks scripts (the common means of infection) until you explicitly a site/page to run them, it also has DrWeb link scanner add-on so you can pre scan the link before visiting.

http://online.us.drweb.com/?url=1
http://linkscanner.explabs.com/linkscanner/default.asp

Wait a minute, I use Firefox 3.0.1, have a collection of it’s add-ons which in part includes Adblock Plus and Flashblock, and thought I had the best antivirus software out there!

Now maybe you have the time to ask the originator of an email if it’s genuine, or pre-scan a link before visiting it, but it’s impracticable, none of us has the time, nor can I see you having the time with 25,000 posts on this site alone! I’ll bet even the best of fast working geeks gets caught once in awhile. Of course, that’s where good antivirus protection comes in.

And that’s the real issue! Never mind blaming me - why didn’t avast! protect me - they were caught asleep with a known virus infecting the most popular social networking site on the internet! Kaspersky’s article linked above (you checking that link before visiting?) was dated July 31st. and I was infected no sooner than a few days after that. I get an automatic antivirus update every day when I log on. Where did avast! go wrong? Someone on vacation, someone asleep at the switch, or a technical shortcoming?

Those are the questions that need answering. Before avast! becomes a thing of my past.

Mark

You don’t walk across a 3 lane motorway, you find a safe place to cross, the same is true of how you use the internet. You don’t dive in relying on your AV and that includes Kaspersky to keep you out of trouble, nothing will provide 100% protection and at some point in time you would get creamed.

AdBlock Plus and Flash block I wouldn’t include in any list of security add-ons they are more a removal of a pain in the rear, whilst I use AdBlock Plus to ease the load on my dial-up.

I didn’t scan it as I didn’t visit it.

Cut me a break dude! To play along with your road analogy, you always drive the posted limited? Use your directional signal before every turn? Stop at every amber traffic signal when you comfortably can? Reduce your speed to every speed advisory posted under every curve warning sign? If you do, then you’re one of a million and better than the rest of us! Remember, as with motorists, there are different skill levels among the wide population of internet users served by avast! Surely, that must be taken into account.

Anyway, I followed Tech’s 8 step advice listed in his post above - and got rid of the virus. In fact, there were a couple of others that avast! hadn’t found. So thanks to the forum, avast! succeeded. Also I’ve sworn off Facebook - in fact I won’t even go back to cancel my account - and won’t respond to email originating from Facebook. To that extent, all’s well that ends well since, luckily enough, I read a newspaper article!

I’m just a little disappointed with avast! No matter what the mistake I made, and from the report a ton of people have or be will be making the same one, avast! should have protected me - or at least given me a warning, a heads up, or done something. The fact is, competing AV programs knew of the virus and acted on it before avast! did. Say what you will, that’s the undeniable truth.

Mark

No one is disputing other AV knew about this before avast!

That fact isn’t going to change, it is the same across the board for all AVs they miss stuff and or they aren’t always first to detect a new piece of malware. There will always be what are known as zero day viruses, that which is out there before it happens to be detected and that is another fact. In the meantime we have to exercise care.

I’m not perfect by any stretch of the imagination, but I do exercise a degree of care, the browser I choose the security add-ons, always running my internet facing applications (browser, email clients, etc.) without administrator rights (DropMyRights) these things limit the potential for a virus to strike. In the unlikely occasion if it did strike, it would limit the potential damage that can be done if the malware doesn’t inherit the users administrator rights.

Add to that I have the fall back of my anti-virus, the Web Shield (or Network Shield) followed by the Standard Shield, so I don’t have my AV as my first line of defence and should everything fail, I have a backup and recovery strategy that would allow for recovery from any virus infection or other computer disaster.

I have had avast for four and a half years and have never been infected where I did with my previous AV.

This is not intended to apportion blame but to let you know there are pro-active things which you can do to limit the chances of getting creamed by an undetected virus and if so limiting the potential for damage.

“Browsing the Web and Reading E-mail Safely as an Administrator” http://blogs.msdn.com/michael_howard/archive/2004/11/18/266033.aspx

Or If using Vista using UAC and running from a standard not administrator account.