Home / malware Worm:JS/Depslear.A
First posted on 08 February 2012.
Source: MicrosoftAliases :
Worm:JS/Depslear.A is also known as JS/FBspam (AVG).
Explanation :
Worm:JS/Depslear.A is a JavaScript worm that spreads via Facebook posts.
Top
Worm:JS/Depslear.A is a JavaScript worm that spreads via Facebook posts.
Spreads via...
Worm:JS/Depslear.A checks the browser for cookies realted to the Facebook website. If found, it uses the cookies to gain access to the user's friends list. It may then post any of the following messages to the Walls of all of the user's Facebook friends:
Other samples of Worm:JS/Depslear.A send the message via Facebook chat to online friends.
The link may also appear shortened. It connects to different domains such as the following:
- tee<removed>ttemptsnancy6.blogspot.com
- tee<removed>ttemptsdeann2.blogspot.com
- nas<removed>irl.blogspot.com
- mlo<removed>kjhgcj.blogspot.com
- emm<removed>heckon.blogspot.com
The link may open to a webpage that requests the user to install fake plugins for Mozilla Firefox or Google Chrome:
Once installed, these fake plugins may redirect users to other malicious files. In the wild, it has been observed that the redirection leads back to samples of Depslear.A, thus ensuring that if your friend clicks on one of these messages posted from your computer, their computer also posts the same messages from their computer out to their Facebook friends.
Payload
Displays a webpage
Some variants of Worm:JS/Depslear.A check for the current location of the affected computer. If the location is any of the following, it displays a fake survey page:
- Australia
- Canada
- Finland
- Ireland
- South Africa
- United Kingdom
- United States
Analysis by Elda Dimakiling
Last update 08 February 2012
