Close Encounters of a Viral Kind (Updated)

(Update at the end.)

There’s some circulating around in bogus messages with subject lines like “Wow! Are you really in this video?”

I received an email from a friend of mine this morning that contained a forwarded Facebook message:

    Could you check this out? AVG says it’s a dangerous Trojan Horse virus. Not sure what that is, but don’t want it.

    (snip signature)

    [Redacted] sent you a message.

    Subject: Wow! Are you really in this video?


The colon in the web address is significant; more on that later.

I tried Googling the name of the video as it appeared in the link. That was a dead end.

I appended “Facebook” to the search string; that turned up a number of references to other Facebook messages containing the same link, but nothing to answer the question, “What is this thingee, anyhoo?” so I went to Trend Micro’s Threat Encyclopedia.

The name of the link again turned up nothing, but there was a item stating that the Koobface Trojan, which targets Facebook users, has returned with a new twist. If you go to their fake Facebook page then and try to close the browser window, it forces a download of its malware. Trend has a video of this behavior in the article.

I clicked the link in my friend’s email. It took me something that looked like the login page that Facebook displays when you click a Facebook link without being logged into Facebook. But the wording felt wrong–it wasn’t obviously wrong, but it was just off.

I clicked the “Continue” button without entering my user name or password; it continued, whereas Facebook would have thrown an error message and redisplayed the login page. (By the way, don’t click through something like this at home unless you know what you are doing.)

It continued to gibberish, then stalled, because I was using Linux and it didn’t know what to do next.

I emailed my friend that it looked awfully fishy and asked her whether the Facebook friend who emailed her would likely use the subject line, “Wow! Are you really in this video?” My friend said, not in so many words, “Come to think of it, no.”

She later send me this email:

    A friend told me that this happened to her and sent to everyone in her computer so if something shows up from me, allegedly Facebook saying you are on TV, don’t open it.

After a little checking, I found out that the link in the Facebook message redirects (that’s what the colon in the web address does) to a web address in Spain. Here’s the whois information for the IP address:

    inetnum: –
    netname: NET-ARSYS-EURO-4
    country: ES
    admin-c: ARO12-RIPE
    tech-c: ARO12-RIPE
    remarks: rev-srv:
    remarks: rev-srv:
    status: ASSIGNED PA
    mnt-by: ARSYS-RIPE-MNT
    mnt-lower: ARSYS-RIPE-MNT
    source: RIPE # Filtered
    remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009

    role: ARSYS Role Object
    address: C/ Ch1le 54
    address: Logrono 26005 (La Rioja)
    address: SPAIN
    phone: +34 941 620100
    fax-no: +34 941 204793
    e-mail: [email protected]
    remarks: trouble:
    admin-c: NI49-RIPE
    tech-c: RLC11-RIPE
    tech-c: ERO2-RIPE
    tech-c: MdRO1-RIPE
    nic-hdl: ARO12-RIPE
    mnt-by: ARSYS-RIPE-MNT
    source: RIPE # Filtered

    % Information related to ‘’

    origin: AS20718
    mnt-by: ARSYS-RIPE-MNT
    source: RIPE # Filtered

    % Information related to ‘’

    origin: AS20718
    mnt-by: ARSYS-RIPE-MNT
    source: RIPE # Filtered


My friend got another email this morning. Here’s what she had to say about it. To put this in context, many persons would consider my friend and me to be “older” already. We don’t, but we did listen to White Rabbit when it was first released. And understood it:

Got another one this am from an older lady friend who said, Wow. Awesome booty on that video.”

She would never say “awesome booty.” good grief.

(Visited 33 times, 1 visits today)