(Forgive me if this is the incorrect place to post this. I’m not sure where this would go…)
So I’d heard about malicious scams on facebook via the ‘like’ feature. Just a short while ago, I clicked on one ‘fanpage’ that one of my friends liked that popped up in my feed, and was sent to a site with the url likeportal.com. I bailed ASAP, but I’m wondering if the damage is already done? How does this scam work, anyway? Is it a virus, or malware, or something else? Does anyone know?
Likejacking - a neologism derived from another neologism
http://www.norman.com/security_center/blog/per_olav_forland/80738/en-us
http://isc.sans.edu/diary.html?storyid=8893
http://www.networkworld.com/news/2010/053110-facebook-likejacking.html
http://www.downloadsquad.com/2010/06/01/facebook-likejacking-worm-tricks-you-into-posting-fake-likes/
http://www.google.no/search?hl=no&client=opera&hs=ExF&rls=nb&q=facebook+likejacking&aq=f&aqi=&aql=&oq=&gs_rfai=
Hi malware fighters,
The malware involved in this social engineering scheme is a worm, described here: http://www.sophos.com/blogs/sophoslabs/?p=9783
Manual removal of the malcode:
To remove Troj/iframe-ET, you must first stop any Troj/iframe-ET processes that are running in your computer’s memory. To stop all Troj/iframe-ET processes, press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the “Processes” tab, search for Troj/iframe-ET, then right-click it and select “End Process” key.
To delete Troj/iframe-ET registry keys, open the Windows Registry Editor by clicking on the Windows “Start” button and selecting “Run.” Type “regedit” into the box and click “OK.” Once the Registry Editor is open, search for the registry key “HKEY_LOCAL_MACHINE\Software\Troj/iframe-ET.” Right-click this registry key and select “Delete.”
Finally, to completely get rid of Troj/iframe-ET, you must manually remove other Troj/iframe-ET files. These Troj/iframe-ET files can be in the form of EXE, DLL, LSP, TOOLBAR, BROWSER HIJACK, and/or BROWSER PLUGIN. For example, Troj/iframe-ET might create a file like
%PROGRAM_FILES%\Troj/iframe-ET\Troj/iframe-ET.exe. Locate and remove these files,
polonus
Thanks, guys.
Does Avast pick up these worms? Or do you have to search through manually and remove? I searched the processes tab and didn’t find anything named Troj/iframe-ET (likewise with searching the system). Is it disguised as something else, usually?
check you computer for malware with
Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install, click update so you are scanning with latest database
run quick scan and click on the remove selected button to quarantine anything found
post the scan log here
Thanks for the reply. I usually use Spybot, will that work instead?
(And originally, I was afraid that this was the incorrect spot to post this.)
Spybot is no good…
Thank you for being patient with me. I’m the furthest thing from a computer expert!
Anyway, I use Firefox. Not sure if that helps or anything.
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org
Database version: 4182
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
08/06/2010 8:36:43 PM
mbam-log-2010-06-08 (20-36-43).txt
Scan type: Full scan (C:|)
Objects scanned: 254769
Time elapsed: 29 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Looks good? Avast turned up nothing, either. I’m wondering if it was just a false alarm, or if this site has some seriously malicious code on it.
Looks good? Avast turned up nothing, either. I'm wondering if it was just a false alarm, or if this site has some seriously malicious code on it.This looks good. If you have the URL you can post it here, but make it unclickable ( hxxt and not http or wxw not www )
The url is hxxp://likeportal.com
It is disguised in facebook feeds as a legitimate facebook fan page, appearing as “[username] likes [subject]”, where the [subject] is a link that sends users to hxxp://likeportal.com/index.php?id=[number]. Upon investigation, likeportal.com advertises itself as allowing facebook users to LIKE anything they want without having a facebook fan page already made.
I’m not sure if it just grabs information from a user’s facebook page or if it implants that worm, or both.
Anyway, I hope that helps. Thanks for your assistance in this matter!
This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=likeportal.com
What would that script do, exactly? Looks ‘interesting’. 
Hi shockd,
Attached you see the site report for the domain site,
The suspicious inline script is found here:
v*r EXlogin='5y4hter' // Login
v*r EXvsrv='s10' // VServer
EXs=screen;EXw=EXs.width;n*vig*tor.*ppN*...
(*=a pol)
It is for password stealing hack … that is all I can say here
polonus
Pondus that’s a very interesting website called “UnmaskParasites” can you please tell me more about this and is it really good for checking nasty parasites web ???, and beside you’re very good about security things 
It helps…!
So I can give you the advice to install the NoScript add-on…!!
asyn
I’ve installed that since (I’ve been putting it off for a while. I’m glad I have it now.)
I have also changed my fb password since the event, too. Would this be a good safeguard? Or do I have to worry about it forever?