Home / malwarePDF  

TrojanDropper:Win32/Koobface.J


First posted on 26 April 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Koobface.J is also known as Win-Trojan/Koobface.225280 (AhnLab), Trojan-Dropper.Win32.Koobface.i (Kaspersky), W32/Koobface.GSQ (Norman), Trojan.DR.Koobface.DRK (VirusBuster), TR/Drop.Koobface.J.13 (Avira), Trojan-Dropper.Win32.Koobface (Ikarus), W32/Koobface.KA.worm (Panda), W32.Koobface.A (Symantec).

Explanation :

TrojanDropper:Win32/Koobface.J is the detection for the malware dropper component of certain members of the Win32/Koobface family. It drops and installs the proxy and driver components. TrojanDropper:Win32/Koobface.J also modifies the computer's firewall settings by allowing its proxy component to bypass the firewall, and adding a firewall exception for a certain port.
Top

TrojanDropper:Win32/Koobface.J is the detection for the malware dropper component of certain members of the Win32/Koobface family. It drops and installs the proxy and driver components. Installation Upon execution, TrojanDropper:Win32/Koobface.J copies itself as an executable with the following file name format: <Malware file name>.exe.exe For example, if the original malware file is named "p.exe", it copies itself as "p.exe.exe". Payload Drops other Koobface components TrojanDropper:Win32/Koobface.J drops the following files in the computer:

  • %windir%\system32\drivers\mrxoko.sys - driver component; detected as VirTool:WinNT/Koobface.gen!E
  • <system folder>\clbcoko.dll - proxy server component; detected as TrojanProxy:Win32/Koobface.gen!K
    • It also creates the batch file "%Temp%\w3oko.bat". This batch file deletes the malware dropper and its copy. The batch file also performs the following actions: Adds value: "tp" With data: "1000" To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Adds value: "FailureActions" With data: "[00000000000000000000000003000000140000000100000060EA00000100000060EA00000100000060EA0000]" Adds value: "ImagePath" With data: "<system folder>\clbcoko.dll" To subkey: HKLM\System\CurrentControlSet\Services\swoko Sets up and starts the proxy component as a service: Adds value: "ServiceDll" With data: "<system folder>\clbcoko.dll" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\swoko\parameters Adds value: "termsvc" With data: "swoko" To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost Modifies computer settings TrojanDropper:Win32/Koobface.J modifies firewall settings by adding a firewall exception for the proxy server component. It also adds a firewall exception for TCP port 8085. TrojanDropper:Win32/Koobface.J may also use the open port to check if the current computer is already infected. TrojanDropper:Win32/Koobface.J marks the last system boot as the last known good configuration by running the following command:
  • sc boot ok
    • TrojanDropper:Win32/Koobface.J flushes DNS settings by running the following command:
  • ipconfig /flushdns


    • Analysis by Elda Dimakiling

    Last update 26 April 2010

     

    TOP

    Malware :

    Family: