Categories Security

Investigating the case of a pesky facebook worm

So the other day one of my friends sent me a link that looks like this.


I wonder who with their right mind will click on that :/ But anyways. So I opened the link in tor (with javascript disabled) which gives a blank page. But no worries. View source and we are already looking at something interesting.

evil, bad, pocha, source
evil source

I downloaded the source and saved in an html file. Then opened it with notepad++.

initial virus

It looks something like this after some code beautification. Now the most important part is within the script tag. I haven’t tested what the other links are doing. After some clever replace actions code looks more understandable.


It is very clear that the doEvil function is taking an encoded string and decoding it to basically and url which is then taken by the which is then appended to the html. It was very easy to get the url. Just print the output of doEvil funtion with the encoded string as parameter.


There we go. Now lets input the link in tor again.


We get another link. This looks like a linkception but we are patient. Lets input that again.


Is this just jquery v1.9 or something else I dont know. I have not analysed it. Probably uses the other links in some ways. I will just submit this link to google.


like so.

If you want to take a look for yourselves.

Initial Source Code –

Jquery Source Code (Obsfucated)-

If you clicked on the link its best to just resetup windows. These tools below may help but no 100% guarantee. Try all three in order.

  1. Malwarebytes
  2. Adwcleaner
  3. RogueKiller

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *