Home / malwarePDF  

Worm:Win32/Koobface.U


First posted on 22 February 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Koobface.U is also known as Worm/Koobface.U.2 (Avira), Win32/Worm.Koobface.AOR (BitDefender), Win32.HLLW.Facebook.557 (Dr.Web), Win32/Koobface.NCK (ESET), Backdoor.Win32.Agent.aoni (Kaspersky), W32/Koobface.worm.gen.ak (McAfee), W32/Koobface.FPS (Norman), Mal/EncPk-LW (Sophos), W32.Koobface.D (Symantec), WORM_KUBFACE.SMF (Trend Micro).

Explanation :

Worm:Win32/Koobface.U is a worm that spreads by posting messages, containing a link to the worm, to the pages of other contacts on social network sites such as Facebook. The worm has backdoor functionality that allows limited remote access and control.
Top

Worm:Win32/Koobface.U is a worm that spreads by posting messages, containing a link to the worm, to the pages of other contacts on social network sites such as Facebook. The worm has backdoor functionality that allows limited remote access and control. InstallationWhen it's executed, it may create a mutex to ensure only one instance is running in memory. The mutex name usually has a random number and letter combination such as "xx464dg433xx16". The worm may copy itself to the Windows folder with the following format: %windir%\<letters><2-digit number>.exe (e.g. "ld16.exe")

The worm drops a cleanup batch script file having a pseudo-random file name to the Windows such as "dxxdv34567.bat". The worm modifies the registry to run its copy at each Windows start. Adds value: "sysldtray"With data: "<path and file name of Worm:Win32/Koobface.U>" (for example "C:\Windows\ld16.exe")To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Spreads Via€¦ Social networking Web sitesWorm:Win32/Koobface.U checks for the presence of Internet cookies for the following Web sites:

  • hi5.com
  • twitter.com
  • netlog.com
  • facebook.com
  • tagged.com
  • bebo.com
  • myspace.com
    • Worm:Win32/Koobface uses these Internet cookies to connect to the site and post messages to the list of friends or contacts available in the user's account. Posted messages contain text and a link to a remote Web site. Upon visiting the link, the remote site could contain text stating that the version of Flash Player is outdated and offers an update, which is actually a copy of the worm. The message content is retrieved from remote server and contains a link to a Web page that may download Koobface variants. Payload Allows remote access and controlWorm:Win32/Koobface.U could connect to one of the following remote servers and await commands from an attacker:
  • vagilin.com
  • www.eom.it
  • easygiftgiving.com
  • alcorcanecorso.com
  • www.nautiqa.com.sg
  • www.herangi.com
  • almullahotels.com
  • rjupnahaed.kopavogur.is
  • sonavil.com
  • www.jallabyah.com
  • westlafayettelittleleague.org
  • bonniejacobsen.com
  • dentistschoice-fl.com
  • hipspeople.com
  • optimumorg.com
  • www.arketwood.com
  • yourprofit.brevard-fl.com
  • smarahvammur.kopavogur.is
  • www.humlumnet.dk
  • kopahvoll.kopavogur.is
  • www.economy.rags.ru
  • 2live.be
    • Commands received could include any of the following actions:
  • Download updates or arbitrary files
  • Send information about the infected computer
  • Retrieve messages to be posted on contacts' pages
  • Start and stop the worm service


    • Analysis by Shawn Wang

    Last update 22 February 2010

     

    TOP

    Malware :

    Family: