Home / malware Win32.Worm.KoobFace.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.KoobFace.A is also known as Net-Worm.Win32.Koobface.b;, W32.Koobface.A.
Explanation :
Once it is launched, it moves itself to C:WIndowsmstre6.exe and then it executes itself from the specified location.
It finds the default explorer cookies folder and searches into it for files which contain "myspace.com".
If no appropriate files are found, it shows a MessageBox with the following text: "Error installing Codec. Please contact support", creates a file in C:Windows mark2.dat and writes "1" into it. This way it marks the operating system for its presence, and then it terminates itself, subsequently deleting its file. So the worm infects only systems which use myspace.com.
If such cookies are found on the system, it adds an entry into the Registry autorun under the "Systray" key name.
The worm also deletes the following registry key:
HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigating
Next, it gets from its server (zzzping.com) miscellaneous links and short captions to be sent via MySpace.com. The links it attempts to send to the Myspace.com contacts point users to a fake codec update, which proves to be an infected binary file containing a copy of the worm.
This technique is extremely efficient, especially given the fact that users are more likely to trust links sent by friends than by unknown contacts. The worm spreads from one system to another by using the Myspace contact lists.Last update 21 November 2011
