Trojan:JS/Kilim

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan:JS/Kilim, Trojan:W32/Kilim

Summary

Trojan:JS/Kilim is a family of malicious browser extensions that post unauthorized content to the user's Facebook Wall.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Kilim is the name for a family of malware that installs browser extensions which post unauthorized content to the user's Facebook Wall.

Kilim is distributed in executable files that use names such as "flashplayer", "video installer", "premium installer" or similar, in order to lure an unsuspecting user into installing the program. These extensions may claim to contain some form of beneficial or desirable functionality (e.g., "Change the color of Facebook profile"); they may or may not perform as claimed, but do run malicious routines in the background.

The binary files from this family are identified as Trojan:W32/Kilim, while the browser extensions themselves are detected as Trojan:JS/Kilim.

This malware family is primarily targeted at Turkish Facebook users.

Installation

On execution, the executable saves a copy of itself to the infected machine, then contacts a remote server to download web browser extension or add-on files (CRX files for Chrome browsers and XPI files for Firefox browsers).

To install the downloaded extensions, Kilim may download a preferences file (used by the web browser to manage the extensions) predefined with the malicious additions, and replace the existing preferences file with the downloaded one. Alternatively, the extensions may be installed by modifying the Windows registry.

Behavior

Once installed, the extension essentially uses the user's Facebook account to post status messages and/or links to their profile page, send messages to contacts, Like or Follow pages and so on. Links included in the spammed messages or posts will use typical social-engineering style content (e.g., "Free ipad giveaway!") to encourage reader to click on them.

The malicious extensions may also forcibly close the tab when the user attempts to open the Extensions tab in the browser; remove other installed extensions; terminate or delete the Googleupdate.exe to prevent the browser from getting updates that might interfere with the malicious extensions; and disable the User Account Control (UAC).

More

For more information about Kilim, see: