The company states that as common with these kinds of harmful attacks, the English used in the mail is extremely bad. The URL, is somewhat concealed- the first domain name the user sees is of Facebook. This is because the link does authentically go to Facebook first. Any URL with the pattern http://www.facebook.com/l/{random character};{ redirected URL} shows the Facebook preview page for external links. Reportedly, hackers have been betting that users will avoid the warnings and move on to their site.

Just in case users click on the malevolent link, they are directed to a page showing an image imitating the YouTube player with a pop-up box asking for a Flash player update. Clicking anywhere on the image leads to the installation of a harmful executable website identified as WORM_KOOBFACE.IC by Trend Micro.

Jonathan Leopando, Technical Communications Specialist at Trend Micro, states that this malevolent site is hosted on several IP addresses. All of them have a common payload. But like several earlier KOOBFACE variants, this is used to install malware on user's system. One of them- TROJ_JORIK.D downloads what seems to be a webserver on the user's computer, probably starting again the KOOBFACE infection chain, as per the statement published by softpedia.com on July 5, 2010.

The security experts at Trend Micro state that Koobface is the head of all social networking worms, and in general, one of the longest-running computer worms. Koobface attacks the login details of the users for propagating by spamming all of user's social networking friends. The spam campaigns of the worm have complicated social engineering, often involving a special video codec lure or a Flash Player upgrade.

Lastly, for avoiding such harmful campaigns, Trend Micro advises users to log out of Facebook whenever it is not being used as it will reduce the risk to their system.