Facebook virus spreads via photo album chat messages

Filed Under: Data loss, Facebook, Malware, Social networks

Photo albumA new social networking worm in the vein of Koobface is currently doing the rounds.

A Naked Security reader, George, who had been exposed to it on Facebook reported it to us - unlike the majority of Facebook scams we report, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.

The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a "FacebookPhotos#####.exe" file with no prompting or clicking required.
Facebook malicious photo app
The screen reads "Photo has been moved. This photo has been moved to other location. To view this photo click View Photo." If your computer has not already downloaded the malware, the "View Photo" button will download the virus for you.

It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.

The good news is that even as I was writing this article, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.

If you're a Facebook user, I invite you to join our Facebook page, where we post all the latest security news and threats you need to watch out for. We also have a Facebook privacy guide explaining how to navigate the privacy settings, with recommended settings to control your profile.

For those of you who need to educate your users on how to safely use social media sites, you can download our free social media education toolkit.

, , , ,

You might like

41 Responses to Facebook virus spreads via photo album chat messages

  1. swatts · 1361 days ago

    as if there isn't enough of those on the net, now there is another new one. damn people that do that just to screw up people's computer or get their information. have had those so I know. am very careful about what I open now.

  2. Thu Win · 1360 days ago

    Is this the same virus http://www.symantec.com/security_response/writeup... (W32.Yimfoca)?

    • Chester Wisniewski · 1360 days ago

      Yes, we have updated our identity to be W32/Palevo-BB

  3. MEL · 1360 days ago

    McAfee.. search,, 'koobface'..."no results"

    What am i really looking at..? thks n adv

  4. chromedome · 1359 days ago

    Lock some folks up for 20 years, and make it very public,
    and they might think twice about creating these things...

  5. jvrudnick · 1359 days ago

    nice catch, Chet....muchly appreciated by us FB users, eh!

    ;-)

    Jim

  6. armand · 1358 days ago

    I have the virus on facebook it says : Foto :D and then a link tabbed to it!!!

  7. Anthony · 1357 days ago

    I have a question for all on the page. If you did not request it and it leads you to a place you did not want to go, why would you hit the button? Do not click on things in e-mail or on FB you did not request yourself. Safety rule number one. Why do hacker do this? The answer is: because "IT WORKS". You have to be your own first line of defense.

    • My guess is that people click on the link because of social engineering.

      They are tricked into believing the chat message has come from a friend - perhaps someone who they wouldn't be surprised to point them towards an online phone.

      You're right, of course, folks should be much more careful and apply more common sense when online. Unfortunately some people aren't so cautious, and that's who the bad guys are relying upon.

    • becky · 1346 days ago

      Because the message shows up from one of your facebook friends in a chat screen saying "Is this you?" and a link that looks to be to a photo. I got the message and had no idea it was not from my friend. Any suggestions on what to do if the malware is downloaded on my computer?

  8. That same virus tried to infect me today. That same "photo has been moved" text and image appeared. Win 7 didn't download the file (it asks permission to run the exe file). And Avast didn't retrieve any positive results of an infection.
    So, that means I'm safe?

  9. Someone · 1342 days ago

    what can I do if I already opened the file?

  10. Adam$$ · 1342 days ago

    yeah - could you tell me how to delete this virus? i downloaded it and im infected - what program should i use ?? pls help

  11. systemworm · 1339 days ago

    it is not a virus and its an old one this is how to remove it
    f Koobface Virus:
    1 – Kill these processes:
    fbtre6.exe
    mstre6.exe

    2 – Delete
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun”systray” = “c:windowsmstre6.exe”
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun”systray” = “C:Windowsfbtre6.exe”
    HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigating

    3 – Delete
    C:Windowsfbtre6.exe
    C:Windowsfmark2.dat

    then run Malwarebytes

    • Chester Wisniewski · 1338 days ago

      If this was actually Koobface, you would be correct... Unfortunately this malware is called Palevo and affects the system in different ways. There are several variants and they infect systems in different ways.

      Download all available updates from your AV vendor and run a full system scan is the best advice. Sophos products detect all known variants and can both prevent infection and perform cleanup.

      Chester

  12. Noreen · 1337 days ago

    Please tell me in english how to delete this virus!!!!THANKS!!!

  13. mary · 1337 days ago

    Does it affect Mac as well or just PC?

  14. Carole · 1337 days ago

    Does this affect Mac computers? I unfortunately got tricked! I have been very careful in the past but this one got me! ARGGGGGG I'm just worried that it might have spread out to my external drive which was connected to my Mac at the same time this happened.

    I'm so frustrated!

  15. bryan · 1332 days ago

    hi when i sign in the page just redirects back to the sign in page and never lets me into FB but if i bring my laptop to my buddys house it lets me sign in with no problem or if i use our other computer in the house on the same wireless system i can sign in with no problem what could be the problem?

  16. Justin · 1331 days ago

    Graham it looks like your awfully busy here answering peoples questions. I would appreciate if you can take the time to answer my question as well. I think I might be infected because I spammed the same, ''take a look at this photo'' to a friend when i logged on facebook. So that must mean I am infected?.. I mean, I Ran the photo , I didn't save it then open it, doesnt seem like theres quiet any differences but I need to know if theres any virus scanners that will pick up this malware and delete it. I use Microsoft Security Essetionsals but it seems that it didn't effectivly get rid of the virus, additionally this is not even my computer... =(

    • Yes, your computer might be infected.

      If Microsoft Security Essentials isn't finding anything you could try some alternative anti-virus products (make sure they're up-to-date) to see if they can detect anything. If you're still struggling you might need to find a geek who can actually look at your computer for you.

    • j2progeny · 1142 days ago

      same here...I have MSEssentials but can't clean or detect it.
      try PC Tools Doctor.

      i can't remove the the virus *.exe file when logged in.
      very irritating since it keeps on opening again and again..
      it is found in the drive C:... this can't be manually deleted.
      But this PCToolsDoctor has a deleting capability by which it can force delete the application.. will reboot your computer and clean the malware.

  17. Hope · 1329 days ago

    I am so upset. :( my computer was just infected i dont know what to do. I have no clue when it comes to computers.

  18. Maddy · 1329 days ago

    It happend last night my daughter was on facebook when a friend im "look at this photo's ha ha" and thats it. It has taken over my computer and I do not know what to do.

    • If you think your PC is infected and your paid-for anti-virus software isn't doing the job contact their tech support team - that's what you gave them money for!

      Good luck

  19. nebeln · 1320 days ago

    I have been tricked by the scam and now it hijacks my computer and deletes all my MSN chat windows and I'm unable to open new chatsessions again without restarting MSN. And at the sign-in page for facebook I'm unable to uncheck the "keep me signed in" and sometimes the mouse is freezing. My computer feels hijacked.__Avast AV with latest Virus/Wormlist doesn't find it.__What to do?!?!?!?

  20. CynicalSquid · 1305 days ago

    Geez, seriously?
    MESSAGE TO ALL DUDES AND DUDETTES WHO CREATE VIRUSES:
    You want money? GET OFF OF YOUR LAZY BUTTS AND GET A FRIKKIN' JOB! AN EDUCATION THAT'LL GIVE YOU A GOOD FUTURE, AND GET A FRIKKIN' WELL-PAYING JOB! GET A LIFE WHILE YOU'RE AT IT! Gosh, people are idiots!

  21. Mollie · 1301 days ago

    uhm yeah its not gone ... and i got tricked :( no comments but its filling my facebook with half naked girls and "crush" ad things and now im getting millions of pop ups ... HOW THE HECK DO I GET RID OF THIS THING??? help me :(

  22. Larry · 1295 days ago

    OMG that just happened to me right now! thank god it only infects the pcs, although i dont want to pass it onto my pc friends. right as im typing more of my friends r sending me the same message because of that one friend

  23. shreeya · 1290 days ago

    hay.ive got the fb virus just now that spread quickly in the chat messages.....
    does it recover?
    im now currently stayin offline ..idk what to do.
    any solutions?????

  24. Chris · 1260 days ago

    Serioulsy, if they are good enough to program these viruses, they could be making a lot of money in the LEGITIMATE world...helping people, not hurting them....

  25. Dave · 1242 days ago

    If people are foolish to click on anything a website tells them to then they get what they deserve, It's only going to get worse until people educate themselves on how to avoid these things, whilst it is unfortunate these people get a virus, its the only way they will be inclined to take responsibility for their recklessness, and learn how to use a computer.

    • eustace flynn · 1168 days ago

      That's easy for you to say since you've NEVER had a virus. The cause of the problem is that there are people who write viruses with malicious intent.
      Blame the victim of course.

  26. 123 · 1231 days ago

    just buy a mac , no tension of virus,virus free haha !

  27. Dan · 1165 days ago

    Hi, just wondering what can be done, my mom downloaded it on her iPad. Is there anti-virus software she needs for that?

    Thanks

  28. george_X · 1059 days ago

    i have a virus that dosnt let in at fb...it send me a massage on chat from a friand and a link,when i clicked the link i downloaded someting...after a day i had 700 infections 30 trojan and other staff...but the most important was that it dosnt get to fb at all...i remove them all but still fb isnt workink for me...

  29. Michaelgates · 904 days ago

    I'm always surprised at the gullability of the avergae FB user... I use facebook but have never fallen prey to any of these infections.

    I know pretty much all of my FB friends irl and they are on the whole quite intelligent people yet pretty much every one of them has fallen for the , "who's viewed me / Your first post" type stuff.

    Hey ho...

  30. TamamoChan · 760 days ago

    i cant use my facebook well. i was infected by a virus. My friend sent me a .rar file with jpeg i dont remember if its jped or jpeg i thought he was having problems so i downloaded it.. Oh Gosh Now what happened. i cant access My Facebook well. i Cant post anything. even If i use other accounts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.