Home / malware VirTool:WinNT/Koobface.P
First posted on 20 November 2010.
Source: SecurityHomeAliases :
VirTool:WinNT/Koobface.P is also known as Rootkit.Win32.Agent.bivu (Kaspersky), Rootkit.Agent2.AVRM (VirusBuster), Rkit/Agent.bivu (Avira), Win32/Koobface.WA (CA), Trojan.NtRootKit.9616 (Dr.Web), Win32/Tinxy.CF (ESET), Rootkit.Win32.Agent (Ikarus), W32/Koobface.worm.gen.az!sys (McAfee), W32/Koobface.KG.worm (Panda), W32/Koobface-AV (Sophos), Worm.Win32.Koobface.gzc!sys (Sunbelt Software), W32.Koobface (Symantec).
Explanation :
VirTool:WinNT/Koobface.P is a device driver used by variants of Win32/Koobface to divert web traffic to a web search hijacker component.
Top
VirTool:WinNT/Koobface.P is a device driver used by variants of Win32/Koobface to divert web traffic to a web search hijacker component. Installation VirTool:WinNT/Koobface.P is installed in the Windows system folder as:<system>\drivers\swe.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It adds the following registry keys and entries so that it starts at kernel initialization: In subkey: HKLM\SYSTEM\CurrentControlSet\Services\swe Sets value: "Type" With data: "0x00000001" Sets value: "Start" With data: "0x00000001" Sets value: "ErrorControl" With data: "0x00000001" Sets value: "ImagePath" With data: "<system>\drivers\swe.sys" Sets value: "DisplayName" With data: "swe" Sets value: "Group" With data: "PNP_TDI" Payload Diverts web traffic VirTool:WinNT/Koobface.P diverts web traffic to a Win32/Koobface component that hijacks web searches that are performed on well-known search engines. When users clicks on the search results, they are redirected to a third-party search engine that shows a list of sites that may or may not be related to the actual search keywords. This suggests that Koobface is part of a referral program for a pay-per-click scheme that pays for traffic to be directed to web sites. Additional information In the wild, VirTool:WinNT/Koobface.P is known to be associated with Worm:Win32/Koobface.AL
Analysis by Gilou TenebroLast update 20 November 2010
