Created attachment 592890 [details]
20120130 Adobe Update.zip
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7
Steps to reproduce:
Downloaded the "Adobe Flash 11.3 Update" add-on from http://firstname.lastname@example.org
After install, it injects main.js from the addon, which injects http://oibruvv.com/ffunctions.js
ffunctions.js injects a script tag to load http://oibruvv.com/track.php
Track.php which injects script tags to load
The likepage.php steals your FB cookies and sends likes. It was configured to like this one 340392035980023
Wallpost.php is configurable, based on the GET params you pass to it. It will build a custom JS file with your spam message and URL.
It shouldn't steal cookies from the browser and send likes to Facebook without the user's knowledge.
The id is safe to block, as far as I can see.
This add-on changes its ID to avoid the blocklisting: email@example.com
Please file a new bug when it has a different ID. It's easier for us to track.