Home / malwarePDF  

Worm:Win32/Koobface.I


First posted on 07 March 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Koobface.I is also known as Also Known As:Win32/Koobface!generic (CA), Win32/Koobface.NAO (ESET), Net-Worm.Win32.Koobface.dq (Kaspersky), W32/Koobfa-Gen (Sophos).

Explanation :

Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other the social networking Web sites.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %windir%olivar31.exe
    %windir%olivar30.exe
    %windir%ld01.exe
    %windir%che08.exe
    %windir%freddy35.exe
  • The presence of the following registry modifications:
    Added value: "sysftray2"
    With data: "%windir%olivar19.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentversionRun
    Added value: "sysldtray"
    With data: "%windir%ld01.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
  • You received a message from a friend in Facebook, Myspace, Friendster, or any other popular Web site that links to an untrusted Web site prompting you to download an executable file.


    • Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other the social networking Web sites.

    Installation
    Upon execution, Win32/Kooface.I may copy itself to the Windows folder, as in the following examples:
  • %windir%olivar31.exe
  • %windir%olivar30.exe
  • %windir%ld01.exe
  • %windir%che08.exe
  • %windir%freddy35.exe
    • It drops a cleanup Batch script file having a pseudo-random file name to the root of the local drive, as in this example:C:355674543.bat When run, the Batch script removes the originally running worm. Win32/Koobface.I also drops the following log file:C:social<date>.log It modifies the system registry so that it automatically runs every time Windows starts, for example: Adds value: "sysftray2"
    With data: "%windir%olivar19.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentversionRun Adds value: "sysldtray"
    With data: "%windir%ld01.exe"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSpreads Via... Social Networking Web SitesWorm:Win32/Koobface.I checks for cookies for the following the popular social networking sites:
  • facebook.com
  • friendster.com
  • hi5.com
  • myspace.com
  • bebo.com
    • It then uses the found cookies to connect to the site and post messages to the list of friends available in the user's account. The message contains data retrieved by this worm from a remote server, some of which are the following:
  • 1dns210109.com
  • temp210108.com
  • wm21012009.com
  • open21012009.com
  • 5824125537.com
    • The messages use various social engineering techniques to entice the user's friends to click on the link. Some of the messages it may display are the following: Title: W.O.W.
    Text: ooPS. looks like i found your private video on net.
    Link: http://to<REMOVED>.com/go/be.php?chd68f3=d41d8cd98f00b204e9800998ecf8427e Title: Thiss is videeo wwith yyou. YYou're doingg soomething fuunny thhere.
    Text: Hallo.
    Link: http://files.<REMOVED>.com/ram<REMOVED>/youtube/video.gif?9cfb5683ch=d41d8cd98f00b204e9800998ecf8427e Title: wow
    Text: Super video with you.
    Link: http://f<REMOVED.com/go/fr.php A sample message received from Friendster is the following: Clicking on the malicious link leads to a Web site that purports to load a video. The user then gets a message that the video cannot be loaded without installing an update of Adobe Flash Player. The offered download is not actually Adobe Flash Player but is a copy of this worm.

    Analysis by Elda Dimakiling

    Last update 07 March 2009

     

    TOP

    Malware :

    Family: