Follow:

 

Trojan:JS/Febipos.A


Microsoft security software detects and removes this threat.

This trojan can use your Facebook profile to post, like pages and comment without your permission.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

If you use a Chrome or Firefox internet browser you should check and verify any add-ons that you have installed.

Update vulnerable applications

This threat may have been downloaded through a software vulnerability. After removing this threat, make sure that you install the updates available for your software. The following links have more information about updating software that is commonly targeted by malware:

Threat behavior

This threat is installed as an add-on for Chrome and Mozilla Firefox internet browsers. It does not affect Internet Explorer.

Trojan:JS/Febipos.A can be installed by the malware TrojanDropper:Win32/Febipos.A.

Once installed the trojan will check for, download, and install an updated copy of itself from the following URLs:

Chrome:

  • du-pont.info/<removed>/pt_PT/BL-chromebrasil.crx
  • le-super.info/<removed>/pt_PT/BL-chromebrasil.crx
  • supch.info/<removed>/ch_CH/chromechinaescapeone.crx
  • upbrtwo.info/<removed>/pt_BR/chromebrasilescapethree.crx
  • upsbr.info/<removed>/pt_BR/chromebrasilescapethree.crx
  • upsv-fr.info/<removed>/fr_FR/chromefranceescapeone.crx

Mozilla Firefox:

  • du-pont.info/<removed>/pt_PT/BL-mozillabrasil.xpi
  • le-super.info/<removed>/pt_PT/BL-mozillabrasil.xpi
  • supch.info/<removed>/ch_CH/mozillachinaescapeone.xpi
  • upbrtwo.info/<removed>/pt_BR/mozillabrasilescapeone.xpi
  • upsbr.info/<removed>/pt_BR/mozillabrasilescapeone.xpi
  • upsv-fr.info/<removed>/fr_FR/mozillafranceescapeone.xpi

It will then attempt to read a configuration file that tells the trojan what actions to perform. This file might be one of the following:

  • avbr.<removed>/sqlvarbr.php
  • frupsv.<removed>/sqlvarfr.php
  • le-chinatown.<removed>/sqlvarch.php
  • leferrie.<removed>/sqlvarbr.php.
  • lesmecz.<removed>/sqlvarbr.php
  • supbr.<removed>/sqlvarbr.php

The file has a list of commands for what the trojan can do in your Facebook account, including:

  • Liking a page
  • Sharing a post
  • Posting messages
  • Joining a group
  • Inviting your friends to a group
  • Sending messages and links via chat
  • Commenting on posts

The content of these posts change regularly and can include links to Facebook pages or external websites.

Additional information

The blog post Browser extension hijacks Facebook profiles has more information about this threat.

Analysis by Jonathan San Jose.


Symptoms

Alert notifications from your antivirus software may be the only symptoms of this threat.

You may find you have liked or shared Facebook content without your consent.


Prevention


Alert level: Severe
First detected by definition: 1.147.1524.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 10, 2013
This entry was first published on: Apr 10, 2013
This entry was updated on: Aug 28, 2013

This threat is also detected as:
No known aliases