Turkish ‘Delete Virus’ Targets Facebook Users

Facebook continues to be a favorite target for attackers to spread fake wall-post messages or fake scams. Most of the time these fake messages are involved in fake scams that ask users to respond to surveys. Recently, I discovered a Facebook wall post with a malicious website address that was unknowingly shared by a friend. Once infected with this spam, the malicious wall post will also tag all the friends of an infected Facebook user.  Here is the screenshot of a malicious wall post:


The link from this wall post redirects users to a malicious website that hosts malicious code. This site launches its main attack by identifying browsers with the help of the following code:


The preceding code from the malicious site targets Firefox and Chrome browsers on userAgent strings.


If the malware detects Firefox, it presents the following error message in Turkish:


The Google translation of the this message reads:

Please Refresh button, Firefox Add-Update your. Due to system errors and security bugs that are required by pressing the Reload button. Install Firefox Plug-in Update. As long as you have not updated the site faydalanamayacaksýnýz features.

Once clicked, the site installs the malicious “sosyalag.xpi” (XPI extension archive) file for Firefox (from the malicious site) along with a Chrome application from the Google Chrome store (this app has been removed from the store). Here is the JavaScript function used for the Chrome app:



If the malicious site detects Chrome, it will download the malicious file player.exe from the attacker’s dropbox account without asking the user. After using Chrome to visit the site, a victim will see a fake video page:


The malicious site cleverly shows an arrow pointing to the malicious file for download, even though the file has already  arrived. Player.exe makes Chrome install another malicious application by adding an entry for a .crx file from another malicious site under “\Policies\Google\Chrome\ExtensionInstallForcelist\1: “gagalgomhifgcmeciklindhpaihmecgi;https://XXXXXX.com/maflu.xml.” Once an infected user enters Facebook, the malicious code runs JavaScript in the background, infecting further users.

VirusTotal Detection




The XPI extension file for Firefox contains malicious JavaScript code that targets Facebook. Here is screenshot of one of the files:


The name in the preceding script “Virusü Sil” is Turkish, which in English is “Delete Virus.” Malicious sites hosting the files present user with information in Turkish. This campaign is aimed against Turkish Facebook users, but it’s not limited to them. Once someone is infected with these extensions, a victim can spread the same post by tagging their friends.

Facebook has already removed these malicious messages from the infected users’ wall posts. The malicious apps have also been removed from Google Chrome store.