Trojan:JS/Kilim

Classification

Malware

Trojan

JS

Trojan:JS/Kilim, Trojan:W32/Kilim

Summary

Trojan:JS/Kilim is a family of malicious browser extensions that post unauthorized content to the user's Facebook Wall.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it to F-Secure Labs for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Kilim is the name for a family of malware that installs browser extensions which post unauthorized content to the user's Facebook Wall.

Kilim is distributed in executable files that use names such as "flashplayer", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program. These extensions may claim to contain some form of beneficial or desirable functionality (e.g., "Change the color of Facebook profile"); they may or may not perform as claimed, but do run malicious routines in the background.

The binary files from this family are identified as Trojan:W32/Kilim, while the browser extensions themselves are detected as Trojan:JS/Kilim.

This malware family is primarily targeted at Turkish Facebook users.

Installation

On execution, the executable saves a copy of itself to the infected machine, then contacts a remote server to download web browser extension or add-on files (CRX files for Chrome browsers and XPI files for Firefox browsers).

To install the downloaded extensions, Kilim may download a preferences file (used by the web browser to manage the extensions) predefined with the malicious additions, and replace the existing preferences file with the downloaded one. Alternatively, the extensions may be installed by modifying the Windows registry.

Behavior

Once installed, the extension essentially uses the user's Facebook account to post status messages and/or links to their profile page, send messages to contacts, Like or Follow pages and so on. Links included in the spammed messages or posts will use typical social-engineering style content (e.g., "Free ipad giveaway!") to encourage reader to click on them.

The malicious extensions may also forcibly close the tab when the user attempts to open the Extensions tab in the browser; remove other installed extensions; terminate or delete the Googleupdate.exe to prevent the browser from getting updates that might interfere with the malicious extensions; and disable the User Account Control (UAC).

More

For more information about Kilim, see:

Date Created: -

Date Last Modified: -