Virus from Facebook Chat masked in a Mediafire image link Explained – How to Remove

Over the past few days, I am continuously receiving Facebook chat messages that contains only a direct link from mediafire.com that links to an image file. I don’t usually click on those, as I know it is pretty much unsafe.

This is not a new story for us to hear. You could be sending or posting spam messages/comments if you had allowed a suspicious app to be installed on your Facebook account as you are giving it the permissions it need. But this one, no app installed and still these clicky Facebook users are sending such spam which is in fact a virus; Trojan maybe.

First, let me show you a sample:

lalaki talaga mahilig mag click ng kung ano ano haha

lalaki talaga mahilig mag click ng kung ano ano haha

That is a snapshot of a Facebook conversation. I told him to remove all the Facebook apps he had installed and also advised to change his account password but still the problem persists. So the culprit is not an app, and the account is not compromised internally.

If you try to search for stuff concerning this on the internet search engines, you cant find anything clear. But that search lead me as well to remembering an old issue of Skype virus being spread via chat.

The virus is said to be an image link as well. Uploaded in a site like mediafire.com. This site explains that it is an *.SCR file, and remembering from the past, such file types usually contain Trojan viruses.

Reading from that site, it made me think that it could be the same thing messing with my friends’ Facebook accounts.

Here is a sample link that is being sent via Facebook chat:

  • http://www.mediafire.com/?ugz9e9co5nlpl7p/photo-0513-0513.jpeg

Its pretty annoying to constantly receive such messages while you are available on chat. Please dont visit the link.

If you know mediafire, then you’ll think that it is a direct link to an image file and it is safe to click it.

Usually mediafire links are like this:

  • http://www.mediafire.com/?ugz9e9co5nlpl7p

I tried checking it that way but my download manager prompts like this:

*.exe?

*.exe?

It leads us to a downloadable EXE file. What I think is, when clicked on the direct link, it automatically executes the file that infects one’s computer; and once you logged in on facebook it sends another couple of spam messages which the URL is never identical.

iseewhatyoudidthere

iseewhatyoudidthere

I tried downloading it. It was saved as an exe file with an intriguing thumbnail icon. I bet pervs will click it instantly, and since it is not an image file for real, no image viewing window is opened. The virus just executes and makes its easy entrance to your system. This shit was cleverly created, so it can still get to the system in case someone decided to download it, good thing I am not enticed with the thumbnail.

as usual, Norton didnt detected anything

as usual, Norton didnt detected anything

I tried scanning it with my licensed and updated Norton Internet Security, and nothing suspicious was detected. I then decided to scan it online, and here are the results:

On VirusTotal, only 2 out of 46 virus scanner detected something malicious. Kingsoft with a 20130506 database says “VIRUS_UNKNOWN” while McAfee-GW-Edition with a 20130512 database detected it as:

  • Heuristic.BehavesLike.Win32.Suspicious-PKR.G

Jotti Malware Scanner detected nothing though. VirScan.org didnt found anything as well.

Bottom line is, there is a detection which couldnt be possibly a false detection. The shit is fairly new so AV’s/Malware scanners arent able to detect it yet, or they just dont think that it is malicious or just that threatening.

But one thing is for sure, it is annoying. And nobody really want that happening with their accounts. It will annoy your friends might as well.

more as you say?

you dont say

I told my friend to install this Trojan Killer app and run a scan. It was also the suggested app from the Skype Virus  info page so I thought it might work. He wasnt able to run the scan due to his reasons, and guess what I had found out. Sending messages doesnt happens when he’s offline.

TrojanKiller

TrojanKiller

I decided to try it myself. I downloaded it from this link:

  • http://trojan-killer.net/download.php

I found out that it is not a freeware, but you can still fully use the app’s scan functionality within 15 days. I scanned the folder where I have the shit I downloaded but nothing was detected. I decided to run a full scan and there are a couple of exe’s and dlls that was detected, but they are from the previous applications and games I have in my PC.

I then had completely deleted the file I had downloaded. I am pretty certain that I am still uninfected even though I had that file in my drive, as per my Facebook account isnt sending any messages.

I cannot guarantee that the Trojan Killer program might really resolve this, but it is still worth a try. You can scan and find the files which are suspicious, and since the app requires license for removal of detected files; you could just delete them manually because you know the file extension.

It is still not verified yet. I do not want to risk my own machine’s security as we still dont know what are the other things that the EXE is able to do. It might be able to extract your sensitive data, we never know.

If only this Facebook redirection catch page works as well while you’re logged on.

when logged in, you are automatically redirected

when logged in, you are automatically redirected

In the end, it is not your account, it is the computer you are using.

If you have something to share, let us know.

Update

Yup, TrojanKiller is not free and is not able to delete the files for you. You might just want to try an alternative, say MalwareBytes.

About The Author

Comments/Reactions:

ADD YOUR COMMENT