Follow:

 

Trojan:JS/Kilim.A


Microsoft security software detects and removes this threat.

This threat is a Chrome browser extension that hijacks your Facebook, Twitter or YouTube account to promote pages. It may post hyperlinks or like pages on Facebook, post comments on YouTube videos, or follow profiles and send direct messages on Twitter without your permission.

It is installed on your computer by Trojan:AutoIt/Kilim.A.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat: 

You can remove the browser extensions created by this trojan by uninstalling and re-installing the Chrome browser or by following the instructions below:

1. Close the Chrome browser

2. Find your Chrome profile folder location. The location of this folder will change, depending on your Windows operating system:

When you open this file you may see an extensions list similar to the following:

 3. Delete all the folders within the extensions folder. Note: This will remove all your Chrome browser extensions.

Threat behavior

Installation

Trojan:AutoIt/Kilim.A  installs Trojan:JS/Kilim.A as two malicious Chrome browser extensions using the following configuration files and registry entries:  

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “1
With Data: "%windir%\AdobeFlash\update.xml"

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “2
With Data: "%windir%\adobeflash2\update.xml"

The trojan then closes the Chrome browser. The malicious extensions are installed the next time the Chrome browser is run.

Payload

Posts malicious links on social media

Trojan:JS/Kilim.A  may access to your Facebook, Twitter and YouTube accounts when you log in using the Chrome browser. It may post messages, like pages or follow profiles on Twitter.

An example of the messages it may post includes:

  • "Selam  bir site buldum günlük 250 takipçi veriyor. Sen de denemelisin:)"

This translates as:

  • "I found a site that gives a daily 250 followers. You should too:)" 

Additional information

More information about this threat can be found in the blog Rise of the social bots.

Analysis by Karthik Selvaraj


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • If you click on the About menu in the Chrome browser, then select Settings, you will be taken to google.com instead of the settings page
  • www.facebook.com and www.okubakgor.com are automatically opened in tabs when you launch Chrome
  • The presence of the following files:

%windir%\adobeflash\update.xml
%windir%\adobeflash2\update.xml

  • The presence of the following registry modifications:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "AdobeFlashUpdateManager"
With data: %windir%\AdobeFlash\<threat name>

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “1
With Data: "%windir%\AdobeFlash\update.xml"

In subkey: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
Value: “2
With Data: "%windir%\adobeflash2\update.xml"


Prevention


Alert level: Severe
First detected by definition: 1.151.1248.0
Latest detected by definition: 1.153.859.0 and higher
First detected on: May 30, 2013
This entry was first published on: May 30, 2013
This entry was updated on: Jun 12, 2013

This threat is also detected as:
  • JS/Chromex.FBook.F (ESET)