Kilim is the name for a family of malware that installs browser extensions which post unauthorized content to the user's Facebook Wall.
Kilim is distributed in executable files that use names such as "flashplayer", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program. These extensions may claim to contain some form of beneficial or desirable functionality (e.g., "Change the color of Facebook profile"); they may or may not perform as claimed, but do run malicious routines in the background.
The binary files from this family are identified as Trojan:W32/Kilim, while the browser extensions themselves are detected as Trojan:JS/Kilim.
This malware family is primarily targeted at Turkish Facebook users.
On execution, the executable saves a copy of itself to the infected machine, then contacts a remote server to download web browser extension or add-on files (CRX files for Chrome browsers and XPI files for Firefox browsers).
To install the downloaded extensions, Kilim may download a preferences file (used by the web browser to manage the extensions) predefined with the malicious additions, and replace the existing preferences file with the downloaded one. Alternatively, the extensions may be installed by modifying the Windows registry.
Once installed, the extension essentially uses the user's Facebook account to post status messages and/or links to their profile page, send messages to contacts, Like or Follow pages and so on. Links included in the spammed messages or posts will use typical social-engineering style content (e.g., "Free ipad giveaway!") to encourage reader to click on them.
The malicious extensions may also forcibly close the tab when the user attempts to open the Extensions tab in the browser; remove other installed extensions; terminate or delete the Googleupdate.exe to prevent the browser from getting updates that might interfere with the malicious extensions; and disable the User Account Control (UAC).
For more information about Kilim, see: