Home / malware Win32.Worm.Koobface.ALX
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Koobface.ALX is also known as W32.Kppbface.A, Rootkit.Win32.Agent.vir, Net-Worm.Win32.Koobface.cgk.
Explanation :
This worm performs the following action upon execution:
- makes a copy of itself inside its folder, appending at its name “.exe” extension
- runs the copy it just created with the parameters “/res >%tEMP%fio.bat” .
- creates a dll file in “%windir%system32” folder, with the mane “fio32.dll”
- creates a driver in “%windir%system32drivers” folder, with the name “fio32.sys”
- creates a bat file in “%temp%” with the name “fio.Bat”
- runs the file “fio.Bat” and the malware processes terminates execution.
Now the “fio.Bat” file perform the following actions:
- creates a new registry entry in "HKLMSOFTWAREMicrosoftInternet ExplorerMain" adding the value "tP” with data "1000”;
- creates a new firewall exception named “fio32”, for the process “svchost.exe”
- creates a firewall exception for TCP port 8085
- creates and starts a new service named “fioo32” for the “fio32.dll” file
- after this, it deletes the copy of malware and the bat file deletes itself
The driver and the dll can disable some antivirus software, steal sensible information and monitors browser activity.Last update 21 November 2011
