Home / malware TrojanProxy:Win32/Koobface.gen!K
First posted on 04 May 2010.
Source: SecurityHomeAliases :
TrojanProxy:Win32/Koobface.gen!K is also known as TR/Proxy.Koobface.123904.K (Avira), Win32/Koobface.MF (CA), Win32/Tinxy.BI (ESET), Net-Worm.Win32.Koobface.fzi (Kaspersky), W32/Koobface.worm.z2 (McAfee), Koobface.GRI (Norman), Mal/Koobface-C (Sophos), Worm.Koobface.DOK (VirusBuster).
Explanation :
TrojanProxy:Win32/Koobface.gen!K is the generic detection for a DLL component of the Win32/Koobface family. It is installed as a system service and redirects the browser to an attacker-controlled server when certain legitimate Web sites are accessed.
Top
TrojanProxy:Win32/Koobface.gen!K is the generic detection for a DLL component of the Win32/Koobface family. It is installed as a system service and redirects the browser to an attacker-controlled server when certain legitimate Web sites are accessed. InstallationTrojanProxy:Win32/Koobface.gen!K may be dropped and installed by other components of the Win32/Koobface, for example, TrojanDropper:Win32/Koobface.J. The dropped file name and location may differ from example to example. One observed example is dropped as the following: %SystemRoot%\system32\clbcoko.dll It may also be installed as a system service, for example with the name 'swoko'. TrojanProxy:Win32/Koobface.gen!K attempts to create a system service for its device driver component if the device driver is not running. One observed example is the following: Service Name: "ql600oko"
Service Description: "Microsoft Shell Controller Passport Debug vmx86 Explorer"
Image Path: "%SystemRoot%\system32\drivers\mfoko.sys" Payload Redirects network trafficTrojanProxy:Win32/Koobface.gen!K listens in on a port (for example, 8085) to communicate with the device driver Koobface component, such as VirTool:WinNT/Koobface.gen!E. It redirects all traffic that comes from or goes to ports 53 and 80 to this port. Redirects Web site accessTrojanProxy:Win32/Koobface.gen!K works as a proxy to redirect access to certain Web sites. Whenever the user attempts to browse certain legitimate Web sites, the trojan loads an attacker-controlled server instead. Web sites that contain the following strings are made inaccessible to the user: aolcdn.com
ask
bing
gmodules.com
googleadservices
img.youtube.com
metacafe.com
sa.aol.com
search.aol
search.live
search.msn
search.mywebsearch
search.yahoo
sugg.search
toolbarqueries
yahooapis.com
yimg.com Instead, the browser resolves to an attacker-controlled remote server such as the following: 85.13.236.154 Connects to a remote serverTrojanProxy:Win32/Koobface.gen!K reports infection of the system to a remote server, such as '85.13.236.154'. Additional informationIf its files are deleted or moved, TrojanProxy:Win32/Koobface.gen!K attempts to recreate its dropped files and registry entries to ensure that it is still capable of running in the system.
Analysis by Shawn WangLast update 04 May 2010
