Home / malwarePDF  

Trojan:Win32/Koobface.B


First posted on 16 June 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Koobface.B is also known as Win-Trojan/Qhost.2048 (AhnLab), Win32/QHosts.FI (CA), Trojan.Hosts.301 (Dr.Web), Win32/Qhost.NRK (ESET), Trojan.Win32.Qhost.mlv (Kaspersky), W32/Koobface.ID.worm (Panda), W32/Atraps.AAZL (Norman), Troj/Koobhost-A (Sophos), Trojan.SpamThru (Symantec), TROJ_QHOST.WA (Trend Micro).

Explanation :

Trojan:Win32/Koobface.B is a trojan component of Win32/Koobface that replaces the local hosts file.
Top

Trojan:Win32/Koobface.B is a trojan component of Win32/Koobface that replaces the local hosts file. InstallationThis trojan component is installed by other variants of Win32/Koobface, a multi-component family of malware used to compromise computers and direct them in various ways to an attacker's will. This could include using the affected computer to distribute additional malware, generate "pay-per-click" advertising revenue and other activities. When run, this trojan drops a file as the following: c:\1.tmp - Trojan:Win32/Koobface.A The dropped file is then run. Payload Replaces hosts fileThe trojan replaces the contents of the hosts file with the following: <IP address> uuu20091124.info <IP address> u07012010u.com Where "<IP address>" is "85.13.206.114". The hosts file is commonly stored as the following: %windir%\system32\drivers\etc\hosts. The trojan then deletes itself. Additional InformationFor more information about Win32/Koobface, see the description elsewhere in our encyclopedia.

Analysis by Tim Liu

Last update 16 June 2010

 

TOP