Home / malware TrojanProxy:Win32/Koobface.gen!Q
First posted on 07 September 2010.
Source: SecurityHomeAliases :
TrojanProxy:Win32/Koobface.gen!Q is also known as Net-Worm.Win32.Koobface.gxg (Kaspersky), Worm.Koobface.EWF (VirusBuster), Worm/Generic.BQWA (AVG), Worm/Koobface.gxg (Avira), Worm.Generic.267534 (BitDefender), Net-Worm.Win32.Koobface (Ikarus), Generic Proxy!v (McAfee), Trojan.Win32.Generic.522A8B92 (Rising AV), Mal/KoobHeur-A (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), W32.Koobface (Symantec).
Explanation :
TrojanProxy:Win32/Koobface.gen!Q is a component of the Win32/Koobface family. Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Top
TrojanProxy:Win32/Koobface.gen!Q is a component of the Win32/Koobface family. Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace. This particular component appears to be used for redirecting the results of user-initiated searches with several popular search engines, possibly in order to generate 'pay per click' advertising revenue. Installation TrojanProxy:Win32/Koobface.gen!Q is dropped by other Koobface components. In the wild, TrojanDropper:Win32/Koobface.N has been observed dropping and installing it. Typically, it may be dropped as <system folder>\wsz.dll. The .DLL is installed as an auto-start service running a HTTP proxy on port 8085. Payload Mediates / redirects search results Together with the Koobface TDI filter driver component (detected as VirTool:WinNT/Koobface.gen!F), the .DLL redirects all traffic sent to remote TCP port 80 (HTTP) to the installed proxy. It uses this proxy to monitor search queries made to the search engines of Google, Yahoo, MSN / Live Search, AOL and Ask. The results of searches are redirected according to directives supplied from a control server located at IP 85.13.236.154.
Analysis by Chun FengLast update 07 September 2010
