Summary
Trojan:JS/Kilim is a family of malicious browser extensions that post unauthorized content to the user's Facebook Wall.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Kilim is the name for a family of malware that installs browser extensions which post unauthorized content to the user's Facebook Wall.
Kilim is distributed in executable files that use names such as "flashplayer", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program. These extensions may claim to contain some form of beneficial or desirable functionality (e.g., "Change the color of Facebook profile"); they may or may not perform as claimed, but do run malicious routines in the background.
The binary files from this family are identified as Trojan:W32/Kilim, while the browser extensions themselves are detected as Trojan:JS/Kilim.
This malware family is primarily targeted at Turkish Facebook users.
Installation
On execution, the executable saves a copy of itself to the infected machine, then contacts a remote server to download web browser extension or add-on files (CRX files for Chrome browsers and XPI files for Firefox browsers).
To install the downloaded extensions, Kilim may download a preferences file (used by the web browser to manage the extensions) predefined with the malicious additions, and replace the existing preferences file with the downloaded one. Alternatively, the extensions may be installed by modifying the Windows registry.
Behavior
Once installed, the extension essentially uses the user's Facebook account to post status messages and/or links to their profile page, send messages to contacts, Like or Follow pages and so on. Links included in the spammed messages or posts will use typical social-engineering style content (e.g., "Free ipad giveaway!") to encourage reader to click on them.
The malicious extensions may also forcibly close the tab when the user attempts to open the Extensions tab in the browser; remove other installed extensions; terminate or delete the Googleupdate.exe to prevent the browser from getting updates that might interfere with the malicious extensions; and disable the User Account Control (UAC).
More
For more information about Kilim, see:
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.