Jar files are Java archives, a means of packaging Java programs for easy transport. In this case, the Java program is simply a downloader - it downloads a Trojan from a particular Dropbox account, which infects the computer and swipes your Facebook login information. It then turns around and sends messages to your friends, repeating the cycle.
The moral of the story? The same as it has been for at least 15 years: don't open unexpected attachments (whether in email or instant messaging services). Pay attention to the file extension - an image is not usually bundled into a .Zip file. When in doubt, contact the sender (preferably through a different channel, such as by phone) to verify that they did in fact send you an attachment.
And if they intentionally sent you a malicious attachment? Well, now you know to have one fewer friend :-)
Thanks to MalwareBytes for bringing attention to this particular case.