Koobface (a play on the word Facebook), is a virus distributed via Facebook messaging, the Facebook Wall and other Facebook communication tools. The Facebook (Koobface) virus can turn your computer into a zombie and hijack your web browser. Koobface attempts to automatically send Facebook messages to your Facebook friends list in an attempt to infect more computers. Koobface has spread quickly to hundreds of thousands of computers because consumers are (not surprisingly) more likely to trust messages from friends.
There are two variants: Net-Worm.Win32.Koobface.a which is the Facebook variant, and Net-Worm.Win32.Koobface.b which is the MySpace variant.
As it happens I recently received a message from a Facebook friend that turned out to be a hook for the Koobface virus. Here is the message I received in my Facebook inbox (as well as a similar message posted to my Facebook Wall):
What happens next falls into the “don’t try this at home” category. While I could tell from the message posting that it was a virus (telltale signs: an odd URL and a generic “Amazing Video” message that didn’t sound like it came from the person sending the message), I clicked on the link to document the experience and was taken to the following web page:
At this point you are still safe but red flags should be going off in your mind if you were tricked into click the Facebook link. The red flags are things like this – the URL (web address) being an IP address (75.253…) vs. a website domain (like www.support.com). The request immediately upon visiting the webpage to download a file (note the security warning from IE “To help protect your security”). The Adobe Flash Player upgrade request is completely bogus – and is the trick to get consumers to take the next step… which I did (don’t do this at home!):
After allowing the download to proceed I am now one click away from infecting my computer. The application “setup.exe” is the Koobface virus… not the Adobe Flash Player. Windows gives you one more warning:
