Home / malware Worm:Win32/Koobface.gen!G
First posted on 18 April 2012.
Source: MicrosoftAliases :
Worm:Win32/Koobface.gen!G is also known as Trojan:Win32/Koobface.gen!Q (other), Win-Trojan/Agent.96256.GD (AhnLab), TR/Koobface.96256.Q (Avira), Win32/Koobface.ZZ (CA), Net-Worm.Win32/Koobface.hgi (Kaspersky), W32.Koobface (Symantec).
Explanation :
Worm:Win32/Koobface.gen!G is a generic detection for various components used by the Win32/Koobface family. This malware family spreads via social networking sites and may download and install arbitrary files. Some of its components hijack web searches to generate pay-per-click revenue, install additional malware such as rogue security software, and may also steal sensitive information. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Top
Worm:Win32/Koobface.gen!G is a generic detection for various components used by the Win32/Koobface family. This malware family spreads via social networking sites and may download and install arbitrary files. Some of its components hijack web searches to generate pay-per-click revenue, install additional malware such as rogue security software, and may also steal sensitive information. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace. Installation Worm:Win32/Koobface.gen!G is downloaded and installed by variants of the Win32/Koobface family. Upon execution, it copies itself into the Windows folder and modifies the registry to execute the dropped copy at each Windows start. In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "<variable>" To data: "%windir%\<Win32/Koobface component file name>" Spreads Via€¦ Hyperlink posts on social network sites The Koobface family spreads through social networking sites by posting links that commonly reference a webpage containing a false video link. The lure is a video however the page suggests the user install a codec in order to view the video - the codec is an installer for the Win32/Koobface main component. The component downloads and installs an arbitrary number of other Koobface components to the affected computer. Below is a list of social networking sites that this malware family is capable of using for propagation:This component checks for the presence of Internet cookies for the associated social networking sites and uses them to connect to the site. Once connected, the worm sends messages without the user's knowledge, to the friend or contact list of the affected user. The message format varies depending on templates received from its command and control server. The message content includes a web link that points to a copy of an installer for the main component for Win32/Koobface. Associates that receive the message may visit the link and download the worm and repeat the cycle of spreading Win32/Koobface to others. Payload Multiple payloads Win32/Koobface can perform multiple payloads, depending on which components are installed on an affected machine. This can include:
- Bebo
- Friendster
- Fubar
- hi5
- MySpace
- MyYearbook
- Netlog
- Tagged
- hijacking web searches to generate pay-per-click revenue
- stealing sensitive information
- breaking CAPTCHA challenge codes
- downloading and executing arbitrary files, including additional malware
- displaying pop-ups that attempt to intimidate affected users into installing rogue security software
- starting a web server
- starting a proxy server
Analysis by Gilou TenebroLast update 18 April 2012
