New Facebook malware?

Over the past 24 hours, there have been reports of some new Facebook worm out there [1]. Supposedly something new, not the same as that discussed last week – aka ‘Koobface’ [2,3].

The new worm is supposedly spreading through messages sent through Facebook encouraging recipients to click on a URL to view video/image content. The URL is of the form:

h__p:// ( snip snip ) .(removed).cn/gallery.php?id=...

The content is not hosted on – that is there to trick the recipient into trusting the link. Those that click will be rewarded with malware (with the filename picture_dl.exe). Specifically, a downloader Trojan for which detection has been added as Troj/Dloadr-BPL. The downloader was proactively detected as Sus/ComPack-B for those with suspicious type detections enabled.

When run, this downloader downloads another Trojan from a remote server, which has been added as Troj/Agent-HJX. It also downloads and displays an innocent image from a popular download site, and saves it to the Windows folder as joke.


Whether this really is a Facebook worm, and not simply malware being distributed via Facebook spam remains to be seen. We will carry on investigating the various components and update as appropriate.

In the meantime, it is a case of usual rules apply. Treat all messages bearing ‘click_here_to_view_this’ style “gifts” as suspicious, whether received by email or any other messaging platform (irrespective of who the message is from).

Further reading: Graham Cluley has posted on his blog that Facebook are claiming that up to 1800 profiles were affected by the malware attack.