December 05, 2011, 3:14 PM — There is a worm spreading through the chat system on Facebook, installing the Dorkbot malware onto the computers of infected users, giving the worm's controller access to the accounts of compromised users, which allows itself to spread by sending malware-infused JPG files to Friends of the infected user, according to Sophos' Naked Security blog.
When it can't pose as a friend, it poses as two blonde women, according to Sophos' original post Friday.
Users who click on a photo that accompanies the image download an installer for the Dorkbot malware, which Sophos' antivirus detects as files named :Troj/VB-FRI and Troj/VM-FRJ Trojan horse.
So far, Sophos reports, Facebook's own antivirus isn't picking up the malware.
The worm was developed in Visual Basic 6.0 and "contains numerous Anti-VM tricks directed against VMware, Sandboxie, Virtual Box, etc.," according to the Dutch CSIS Security Group, which first detected the spread of the worm.
The version first detected by CSIS first tries to download b.exe from this site: http://www.offi sense.co.il / lang /
Then it tries to copy this onto an infected user's system, according to CSIS:
c: users [% user profile%] m-1-52-5782-8752-5245winsvc.exe
The worm is a lot more serious than just another Facebook worm and worse than anything you'd expect from the name Dorkbot, CSIS reports, though it's probably best not to think about the visual in this description:
"The worm carries a cocktail of malware onto the machine, including a Zbot/ZeuS variant which is a serious threat and steals sensitive information from the infected machine," the CSIS notice read.
If Facebook isn't careful, this one infection could ruin its reputation for protecting the data and privacy of its customers.
That would be terrible.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.
CSIS Security Group