Home / malware Worm:Win32/Koobface.gen!D
First posted on 11 June 2009.
Source: SecurityHomeAliases :
Worm:Win32/Koobface.gen!D is also known as Also Known As:Win32/Koobface!generic (CA), W32/Koobface.O (Authentium (Command)), Net-Worm.Win32.Koobface.is (Kaspersky), W32/Koobface.worm.a (McAfee), W32/Koobface.CH (Norman), W32/Koobface.BG.worm (Panda), W32/Koobfa-Gen (Sophos), W32.Koobface.A (Symantec).
Explanation :
Worm:Win32/Koobface.gen!d is generic detection for variants of Win32/Koobface, a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
%windir%olivar19.exe
%windir%olivar31.exe
%windir%olivar30.exe
%windir%ld08.exe
%windir%che08.exe
%windir%freddy42.exe
The display of the following message:
Worm:Win32/Koobface.gen!d is generic detection for variants of Win32/Koobface, a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Installation
If this worm is executed, Win32/Koobface copies itself to the Windows folder using a variable file name, as in the following examples: %windir%fbtre6.exe
%windir%mstre5.exe%windir%olivar19.exe
%windir%olivar31.exe
%windir%olivar30.exe
%windir%ld08.exe
%windir%che08.exe
%windir%freddy42.exe The worm may drop a cleanup batch script file also variable file name to the root of the local drive, as in this example: c:43214354.bat The worm may execute the cleanup batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start. Adds value: <value>With data: "%windir%/<worm file name>"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSpreads Via…MySpace and FaceBook ContactsWin32/Koobface searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites including the following:facebook.com friendster.com hi5.com myspace.com bebo.com The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.
Payload
Win32/Koobface can perform multiple payloads, depending on which components are installed on an affected machine. This can include:downloading and executing arbitrary files, including additional malware displaying pop-ups that attempt to intimidate affected users into installing rogue software starting a webserver starting a proxy server
Analysis by Scott MolenkampLast update 11 June 2009