Since yesterday, December 18, a new type of malicious code has spread very quickly through Facebook Messenger. They are distributed through Zip files sent as Facebook Messenger messages. The file name is usually in the form "video_ + 4 random numbers" , if someone sends you a message with such a file, don't open it!
This type of malicious code is written in AutoIT language, the main functions have been obfuscated to make it difficult to analyze. After the computer is infected, they will use it to mine cryptocurrency, causing the computer to always lag without understanding why.
How does this malware work?
When entering the computer, the malicious code will retrieve and send information to the computer to the address hxxp://ojoku.bigih.bid/api/cherry/login.php.
Next, the malicious code downloads and installs a malicious extension into the user's browser. This extension continues to spread malware files in video format to the infected person's friends. Then, this malicious code loads the other extension into folders such as desktop, taskbar, program.... by writing the Chrome Shortcut file.
Finally, the malware will restart Chrome for the extension to work and spread another type of malware used to mine cryptocurrencies, " Coin Minner ".
How to prevent "cryptocurrency mining" malware
If you accidentally click on a malicious file, quickly edit the Hosts file on your computer and add the following lines:
127.0.0.1 ojoku.bigih.bid 127.0.0.1 plugin.ojoku.bigih.bid
If anyone does not know how to access the Host file on their computer, please refer to the following article:
In addition, as soon as you discover that your computer has been infected with malware, you need to use another device to immediately change your Facebook password and log out of your entire Facebook account on the infected computer.
Instructions for removing malicious code from your computer
According to the way CyRadar experts recommend, you can check if your computer is infected by: opening the Chrome browser, entering the following content in the address bar: chrome://extensions/ and pressing Enter, If this tab is automatically closed, the computer is infected.
If you can't remove it by deleting the file normally (or don't know much about technology), use some specialized anti-virus software to "handle" it in this case. Some current antivirus software that can remove this "money mining" malware include: Avast (trial version) or Kaspersky Antivirus. Before scanning for viruses, remember to update the latest virus list form!
However, the above methods are only solutions when encountering problems with Facebook malicious code. The best way to prevent is when receiving any strange files from friends or strangers, do not rush to click on them. In addition, you should also refer to the article on how to avoid reading fake news on Facebook so you don't "fall into the trap" of any scams.