SCF Advanced Search



  • Total Posts: 38475
  • Total Topics: 13022
  • Online Today: 1265
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)


Author Topic: Turkish ‘Delete Virus’ Targets Facebook Users  (Read 1472 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Turkish ‘Delete Virus’ Targets Facebook Users
« on: 09. April 2013., 09:17:38 »
Turkish ‘Delete Virus’ Targets Facebook Users

Facebook continues to be a favorite target for attackers to spread fake wall-post messages or fake scams. Most of the time these fake messages are involved in fake scams that ask users to respond to surveys. Recently, I discovered a Facebook wall post with a malicious website address that was unknowingly shared by a friend. Once infected with this spam, the malicious wall post will also tag all the friends of an infected Facebook user.  Here is the screenshot of a malicious wall post:

The link from this wall post redirects users to a malicious website that hosts malicious code. This site launches its main attack by identifying browsers with the help of the following code:

The preceding code from the malicious site targets Firefox and Chrome browsers on userAgent strings.


If the malware detects Firefox, it presents the following error message in Turkish:

The Google translation of the this message reads:

Please Refresh button, Firefox Add-Update your. Due to system errors and security bugs that are required by pressing the Reload button. Install Firefox Plug-in Update. As long as you have not updated the site faydalanamayacaksýnýz features.

Once clicked, the site installs the malicious “sosyalag.xpi” (XPI extension archive) file for Firefox (from the malicious site) along with a Chrome application from the Google Chrome store (this app has been removed from the store). Here is the JavaScript function used for the Chrome app:


If the malicious site detects Chrome, it will download the malicious file player.exe from the attacker’s dropbox account without asking the user. After using Chrome to visit the site, a victim will see a fake video page:

The malicious site cleverly shows an arrow pointing to the malicious file for download, even though the file has already  arrived. Player.exe makes Chrome install another malicious application by adding an entry for a .crx file from another malicious site under “\Policies\Google\Chrome\ExtensionInstallForcelist\1: “gagalgomhifgcmeciklindhpaihmecgi;” Once an infected user enters Facebook, the malicious code runs JavaScript in the background, infecting further users.

VirusTotal Detection




The XPI extension file for Firefox contains malicious JavaScript code that targets Facebook. Here is screenshot of one of the files:

The name in the preceding script “Virusü Sil” is Turkish, which in English is “Delete Virus.” Malicious sites hosting the files present user with information in Turkish. This campaign is aimed against Turkish Facebook users, but it’s not limited to them. Once someone is infected with these extensions, a victim can spread the same post by tagging their friends.

Facebook has already removed these malicious messages from the infected users’ wall posts. The malicious apps have also been removed from Google Chrome store.

Orginal article: Monday, April 8, 2013 at 2:48pm by Umesh Wanve

"Sorry I have not found a larger version of some ot the picture. The other are clickable to get them larger."
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Turkish ‘Delete Virus’ Targets Facebook Users
« on: 09. April 2013., 09:17:38 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising