Home / malwarePDF  

TrojanProxy:Win32/Koobface.gen!C


First posted on 18 June 2009.
Source: SecurityHome

Aliases :

TrojanProxy:Win32/Koobface.gen!C is also known as Also Known As:Win-Trojan/Tinxy.14336 (AhnLab), Win32.Worm.Koobface.CK (BitDefender), Win32/SillyProxy.DC (CA), Trojan.Win32.Agent.cefe (Kaspersky), Proxy-Tinxy (McAfee), Bck/Hupigon.LKL (Panda), Troj/Small-ENC (Sophos), Infostealer.Gampass (Symantec).

Explanation :

TrojanProxy:Win32/Koobface.gen!C is a generic detection for the proxy component of the Win32/Koobface family. It creates a proxy on an infected machine to redirect the users' Web browser.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    dl32.exe
  • The presence of the following registry modifications:
    Added value: "7171:TCP"
    With data: "7171:tcp:*:enabled:dll32"
    To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList
  • Your Firefox process terminates and restarts.


    • TrojanProxy:Win32/Koobface.gen!C is a generic detection for the proxy component of the Win32/Koobface family. It creates a proxy on an infected machine to redirect the users' Web browser.

    Installation
    Upon execution, TrojanProxy:Win32/Koobface.gen!C drops the following files: <system folder>dl32.exe - copy of TrojanProxy:Win32/Koobface.gen!C%SystemDrive%dl32.bat - batch script used to remove the original Win32/Koobface dropper After dropping the above files, it executes 'dl32.bat' which deletes its originally-running copy and the batch file itself.

    Payload
    Establishes Web proxyTrojanProxy:Win32/Koobface.gen!C establishes a Web proxy on the system via TCP port 7171, which it uses to redirect the browser when the user tries to visit certain domains. These domains may vary, however, samples in the wild suggest that some of the domains being targeted are the following: aolcdn.com
    autodatadirect.com
    google.com
    img.youtube.com
    metacafe.com
    sa.aol.com
    yahooapis.com
    yimg.com To use the port as a Web proxy, TrojanProxy:Win32/Koobface.gen!C makes the following registry modifications: Adds value: "ProxyServer"
    With data: "http=localhost:7171"
    Adds value: "ProxyEnable"
    With data: "1"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings

    On systems with Firefox installed, it appends the following lines to the Firefox configuration file prefs.js: user_pref("network.proxy.http", "localhost");
    user_pref("network.proxy.http_port", 7171);
    user_pref("network.proxy.type", 1). To ensure that these setting are applied, TrojanProxy:Win32/Koobface.gen!C then attempts to terminate the Firefox process. TrojanProxy:Win32/Koobface.gen!C also modifies the system settings to ensure that it can pass through the Windows Firewall by adding the following registry entry: Adds value: "7171:TCP"
    With data: "7171:tcp:*:enabled:dl32"Adds value: "80:TCP"With data: "80:tcp:*:enabled:dl32"
    To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParameters
    FirewallPolicyStandardProfileGloballyOpenPortsList

    Analysis by Chun Feng

    Last update 18 June 2009

     

    TOP

    Malware :

    Family: