Beware: a new Facebook virus is impersonating your friends by maliciously tagging you


Did a friend recently tag you on Facebook? There is a possibility that it is a new virus that has been rapidly spreading recently on the Israeli web.

Did you click on the tag, and making your computer download a file? Beware!

Starting yesterday, we began receiving a number of queries from readers who got an alert on Facebook that they had been tagged by a friend. After they clicked on the link in order to see the relevant post, they noticed that a file had been downloaded to the device their smartphone or a computer.

An analysis by the Information Security Forum of the Stack Exchange developers’ website shows that clicking on the link automatically activates a JavaScript file. The virus bypasses the various defense mechanisms, including those of Facebook, by making them think that it is downloading a .jpg file to the computer, but what it actually downloads are operating files. After downloading, the script infects the victim’s browser so that they will infect others, and changes the file name to autoit.exe. An analysis of the file shows that it is a Ransomware virus programmed to encrypt the victim’s most important files, blocking access to them unless he or she pays the developers of the virus.

Part of the code used for running the hack Source: Screenshot from stackexchange
Part of the code used for running the hack Source: Screenshot from stackexchange

As of now, it appears that the virus is liable to affect only computers in a Windows environment, not other operating systems, such as Linux or Mac OS, or operating systems for mobile devices, such as Android and iOS. It is important to emphasize that the code in question is not connected to Facebook itself. Nevertheless, following calls by infected users and information security investigators to Facebook and Google, on whose servers part of the malware code is stored, the links were removed.

What can be done?

If you are not in the infected operation systems, you can simply delete the file, whose name is comment_24016875.jse, from the system’s file manager, and carry on from there as usual.

If the file has been downloaded to a computer that runs Windows and you have not activated it, you can simple delete it by entering the downloads folder of your browser, locating the file, and deleting it.
If you have already activated the file, it is time to pray that your anti-virus intercepts it, and start praying to the higher power of the interwebs.

In any case, in order to make sure that you are not infecting your friends, it is also recommended to enter the list of add-ons installed on you desktop browser, and delete unknown add-ons. Then do the same thing on your Facebook app. That, for example, is how you do it on Chrome, and you can do the same thing on Facebook.

This is of course not the first, and likely not the last, appearance of a virus that takes advantage of the prodigious distribution capabilities of the social networks. Just two months ago, a virus ran amok on Facebook inviting users to view a video clip ostensibly posted by a friend. Before that, it was a Trojan horse also disguising itself as tagging by a friend.


Please enter your comment!
Please enter your name here