Hi Geeks, You can read the de-obfuscated and fully documented code here<http://gatoni.gr/wp-content/uploads/2011/02/fbcreeper_analysis.js.txt> .
This is the URLs distributing the malware: - http://fbcreeper.info/ - http://procreeper.info/ - http://profilechecker.info/ - http://thefbcreeper.info/ This is what this malware does: - Posts links on victim’s wall, which advertise the malware - Posts links to victim’s contacts’ walls, which advertise the malware - Posts links to pages created or administered by victim, which advertise the malware - Adds users with emails [email protected] and [email protected] as administrators to the pages created by the victim. - Sends private messages, advertising the malware - “Likes” pages “DJ-Emphatic” and “OH Whutt” with victim’s account - Invites all contacts to an event (which seems to be removed now) - Sends user to http://fbviews.org/result.php, where the user is asked to do some “anti-spam verification tests” before he can view the results. Of course there are no results, and the malware developers earn money from bringing traffic to the sites mentined there. As of yesturday (22nd February 2011, 23:40 GMT+2), somewhere between 11,000 and 20,000 accounts are infected. Cheers, 0xN41K -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
