Code executed in the browser hijacks Orkut in Brazil

[Henrique - RJ]

The attack is affecting millions of Brazilians in Orkut.

The cracker, in the phishing site, asks the person run the code in the browser:

Any antivirus is detecting.

[Pondus]

dont post potentially malwarecode in the forum, as this can/will trigg AV warnings if/when detected by any AV to those entering the forum
so please remove the code, if you want to post it take a picture of it and post the pic

[Pondus]

VirusTotal 0/42
http://www.virustotal.com/file-scan/report.html?id=f6789f5ca78162bf54030af39980ba920e2c19ba80cbc662b59af87590811787-1309717773

[Henrique - RJ]

Exact, any antivirus detects it for the time being ...

[polonus]

Hi  Henrique - RJ,

There is a write-up on this threat which can be read here: http://www.knowthetech.com/2010/11/orkut-infected-with-malware-again.html
More to be found on the google help page here: http://www.google.com/support/forum/p/orkut/thread?tid=3c422fbd51d16b83&hl=en
MBAM, SAS and HitmanPro Scans are being adviced in the link given. The use of HitmanPro should only be performed under professional guidance, because if not properly handled it could ruin your operational system,

polonus

[Henrique - RJ]

Hi  Henrique - RJ,

There is a write-up on this threat which can be read here: http://www.knowthetech.com/2010/11/orkut-infected-with-malware-again.html
More to be found on the google help page here: http://www.google.com/support/forum/p/orkut/thread?tid=3c422fbd51d16b83&hl=en
MBAM, SAS and HitmanPro Scans are being adviced in the link given. The use of HitmanPro should only be performed under professional guidance, because if not properly handled it could ruin your operational system,

polonus

But my intention to open this topic is that the signature is created for the database so that Avast detects this.

[Pondus]

NORMAN analysis

Hi,

"Script.txt" contins a url (hxxp://chiipssgoogle.hd1.in/cod2.txt) to download another obfucated script to work on Orkut profile. Further it redirects to fake  URL.

Readable format of this script is at: hxxp://pastebin.com/EtjRJ3CB

"script.txt"  would be detected as "JS/Redirector.CO"

Thanks

[Henrique - RJ]

Avast team seems not be interested.

[polonus]

Hi Henrique - RJ,

Did you sent your observations and the malcode link to virus AT avast dot com via mail?
If so they will not send you a personal notification, but it is my experience that they take all that is being sent there very, very seriously. Especially where Brazilian banking trojans are concerned they should be extra watchful, seen to the overal avast detection rate that is open to some real improvement, so stay optimistic, Henrique - RJ. Avast never had let us down, so wait for detection...

polonus

[Henrique - RJ]

Yes I sent many days ago ...

[Henrique - RJ]

and avast still not detect the script ...

The avast team has no interest !

[Pondus]

can you post the link to the scan result ?

[Henrique - RJ]

Of VirusTotal ?

[Pondus]

yes if that is where you scanned it

[Henrique - RJ]

http://www.virustotal.com/file-scan/report.html?id=7c2f842efcd6903cc71985c239136ac7bab5506b6ab0b8bb26ee7d60495c8ad2-1310247801

And should have many malicious scripts of Orkut that avast does not detect and the avast team has not interest ...

Avira and Norman already detecting !