It spreads by compromising accounts and spamming out the users' friends with a message that contains only a link. If followed, the link takes the potential victim to a page where he or she are offered what appears to be a screensaver for download:
Unfortunately, it is not a JPG file, but an executable (b.exe). Once executed, it downloads another executable to the system.
"The worm carries a cocktail of malware onto your machine, including a Zbot/ZeuS variant which is a serious threat and stealing sensitive information from the infected machine," warn the researchers.
The worm is hosted on a variety of domains, so the link in the malicious message may vary. Other servers are used to collect the data sent by the aforementioned malware and to serve additional malicious software.
The worm is currently detected only by two of the AV software solutions used by VirusTotal, and it has anti-VM capabilities, which makes it impossible for researchers to test it in virtual environments and sandboxes.
Needless to say, users are advised to be careful about opening suspicious links contained in Facebook messages. If you're not sure whether the message apparently sent by your friend was actually sent by him, it's better to ask him about it. In this case, if he has not, you can also tell him that his computer has probably been infected and his account compromised.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.