Currently Being ModeratedApr 24, 2012 2:25 AM (in response to mvaug10087)
Yes, lots of downloads from facebook and other 'social sites' contain malware.
You will find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:
The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them, including how to prevent, detect and/or remove the Flashback Trojan.
Currently Being ModeratedApr 24, 2012 2:43 AM (in response to Klaus1)
interesting post but my concern is that this download was a built in Facebook function not a third party download or app. the download function is new and available here (if you have a FB account):
Currently Being ModeratedApr 24, 2012 5:56 AM (in response to mvaug10087)
This is the first that I have ever heard of such malware, but I do find it on Sophos' site:
They don't say much about it, though... just:
OSX/FkCodec-A is a fake installer that claims to be installing codec.
Looks like it was just added to their definitions yesterday, so it must be so new that nobody has written anything up about it yet. I would try to contact Facebook about that. I've just started the process of downloading my own Facebook information, and will report back here with what I find when it arrives.
Currently Being ModeratedApr 24, 2012 6:33 AM (in response to thomas_r.)
I have sophos AV and I saw the info on the Sophos website. the alert apeared as soon as I downloaded the .dmg from Facebook. The Facebook information download facilty is also very new and has been getting a lot of attention in the media on this side of the Atlantic. With the, how can I put it, somewhat 'relaxed' approach to security prevalent in the MAC community, this could be a significant problem. i would love to report it to Facebook but I can't find a suitable link to use on their security page.
Currently Being ModeratedApr 24, 2012 6:42 AM (in response to mvaug10087)
I think that's where the scam is coming in, right there. The download isn't a .dmg as far as I recall.
I'm just doing it again to be certain. When you click on the 'start my archive' button you should get a msg saying you'll receive an email when the archive is ready. However, as I remember, when you get the email, you click on the link and it takes you back to the same page. When you click on the button this time it just downloads the files to your default folder location.
I think the first thing I'd look at is the url of the facebook site you're visiting. Are you sure its the genuine one? What's the URL?
Currently Being ModeratedApr 24, 2012 7:19 AM (in response to thomas_r.)
Okay, I just got my Facebook data (what little there is of it... I'm not a big Facebook user), and there's nothing in it recognized by Sophos as malware. So it's definitely not something that everyone will find in their Facebook data.
Where in your Facebook data was the file? And would you be willing to e-mail the file Sophos identified to me, so I can do some tests? You can find my e-mail address on the "contact me" link at the bottom of my Mac Malware Guide. (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
Edit: to e-mail it without getting flagged as sending malware, open the Terminal and paste in the following command:
zip -e ~/Desktop/fkcodec.zip
Make sure there's a space at the end, and then drop the file identified by Sophos onto the Terminal window. Hit return, and enter "infected" as the password. Take the resulting fkcodec.zip file, which will show up on the desktop, and e-mail that to me.
Currently Being ModeratedApr 24, 2012 7:24 AM (in response to softwater)
I have just repeated the whole thing with no issues at all. I have a horrible feeling that it was completely coincidental Sophos AV activity at the same time as I was trying to open the Facebook archive .zip (@softwater you were correct it was not a .dmg).
Retires red-faced to corner.......
Currently Being ModeratedApr 24, 2012 9:29 AM (in response to mvaug10087)
Well, if Sophos identified it, it had to have identified something. It's always possible it triggered on a false positive, but possibly not. I certainly wouldn't fool around since this was just added yesterday, meaning it's probably been discovered very recently.
Is it still in your Sophos quarantine, or did you delete the file? If it's still there, can you tell us what file was identified, and where? (You can click an item in the quarantine and the full path to the file will appear at the bottom of the window, under Threat Details.)
If it's still there, I can tell you more if you can find it and send it to me, according to the directions I posted earlier.
Currently Being ModeratedApr 24, 2012 9:56 AM (in response to thomas_r.)
The file identified was download.dmg in the Downloads folder. Once I realised that it probably was not associated with Facebook download, I did a secure delete as the Sophos clean up threat did not seem to be doing anything. I can't remember the dates added or modified but I carried out a full scan on 9th April and it wasn't there then. Sorry this is not much help.