So I thought of digging into it a bit deeper, I created a dummy account so that my normal account will not be affected.Then added myself as friend in the dummy account, so that I can monitor it.Then I opened the scrap I got from the dummy account.While inspecting the source code, I found that the suspicion is true, it in needs is the work of a worm!!.I found following iframe code injected along with the message into scrap.
This injected iframe loads "worm.js" script from tptools
Downloading the worm.js from the source and decoding it gives me following observations.
- It uses standard JS Objects and XMLHttpRequest to all sorts trouble.
- Code is obfuscated by using octal representation for objects and weird names (eg: _0x7c2bx4) for variables.
- It does the following if you opens a scrap page.
- Makes you join 5 communities.
- Sends Scraps to all your friends.
Following shows the part of the code that is responsible for the problems.
The main sign of infection is that, your browser will be hanged for a while if you open such a page.if you find it happens to you, close the browser immediately. It will prevent the worm from spreading.
- Clean all the cookies and private data stored in the browser.
- Install Firefox and NoScript addon, it will block all the scripts. Allow only those you wanted. But be careful not to allow scripts from tptools
org. Remove all those "Bom Sabado!" scraps from your Scrapbook.
- Be careful not to visit any of the infected pages until Google fix this injection vulnerability.