The new worm is supposedly spreading through messages sent through Facebook encouraging recipients to click on a URL to view video/image content. The URL is of the form:
h__p://www.google.com.id. ( snip snip ) .(removed).cn/gallery.php?id=...
The content is not hosted on google.com – that is there to trick the recipient into trusting the link. Those that click will be rewarded with malware (with the filename
picture_dl.exe). Specifically, a downloader Trojan for which detection has been added as Troj/Dloadr-BPL. The downloader was proactively detected as Sus/ComPack-B for those with suspicious type detections enabled.
When run, this downloader downloads another Trojan from a remote server, which has been added as Troj/Agent-HJX. It also downloads and displays an innocent image from a popular download site, and saves it to the Windows folder as
Whether this really is a Facebook worm, and not simply malware being distributed via Facebook spam remains to be seen. We will carry on investigating the various components and update as appropriate.
In the meantime, it is a case of usual rules apply. Treat all messages bearing ‘click_here_to_view_this’ style “gifts” as suspicious, whether received by email or any other messaging platform (irrespective of who the message is from).