Created attachment 627759 [details]
20120528_vidddii.zip (password 'malwares4mple')
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Steps to reproduce:
Downloaded extension from http://viku12.co.cc/x/play.php?id=1
js_f.php (packed JS):
injects an iframe pointing to http://www.resultsz.com/search/anticheat6.php?username=mc0011
steals the Facebook user's session tokens
sets cookies px_<UID> and fb_bbip_* to maintain state
can like an arbitrary set of Facebook pages (currently not set to like any)
posts a link to http://bit[.]ly/MTfe4S
as a status update by the victim with the text "Kirst*en. Dunst mastur*bating on hidden camera"
will solve captchas by posting the captcha image to http://mp56a.com/fn/cs/api/s_c.php?u
posts a link to http://tol[.]co/5q, with the text "LOL Miley Cyrus got caught having s3x"
It should not steal your Facebook session information and post to Facebook as you, without your consent.