Home / malwarePDF  

Worm:Win32/Koobface.gen!C


First posted on 06 July 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Koobface.gen!C is also known as Also Known As:W32/Koobfa-Gen (Sophos), Win32/Koobface.NBG (ESET), W32/Koobface.worm (McAfee), W32.Koobface.B (Symantec).

Explanation :

Worm:Win32/Koobface.gen!C is a generic detection for worms that spread via social networking sites such as Facebook and MySpace.

Symptoms
As this worm spreads by sending messages to your contacts in certain social networking sites, you may receive inquiries from your contacts about a message that you do not remember sending to them. Aside from this, there are no other common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Worm:Win32/Koobface.gen!C is a generic detection for worms that spread via social networking sites such as Facebook and MySpace.

Installation
Upon execution, Worm:Win32/Koobface.gen!C copies itself to the Windows folder using various file names, as in the following examples:

  • %windir% ag11.exe
  • %windir%
    omeo14.exe
  • %windir%
    l13.exe
  • It modifies the system registry so that its dropped copy runs every time Windows starts, for example: Adds value: "systray"
    With data: "%windir%<malware file name>"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Depending on the sample, other values may also be used, such as "sysftray2" or "sysldtray". Worm:Win32/Koobface.gen!C may also drop a Batch file with a random file name in the system, which is designed to delete the currently-running worm copy once it has finished with its malicious routines. It also modifies the following registry entry, if it exists: Modifies value: "CLSID"
    With data: "{25336920-03f9-11cf-8fd0-00aa00686f13}"
    To subkey: HKLMSOFTWAREClassesMIMEDatabaseContent Typeapplication/xhtml+xmlSpreads via...Social networking Web sitesWorm:Win32/Koobface.gen!C checks for cookies for the following social networking sites:
  • bebo.com
  • facebook.com
  • friendster.com
  • hi5.com
  • myspace.com
  • It then uses these cookies to connect to the Web site and post messages to the user's friends, The message contains data retrieved by this worm from a remote server, which has the following format:
  • <string><date>.com
  • For example: nua20090528.com
    supersearch20090330.com
    wnames1404.com
    fdns6mar09.info
    er20090515.com
    upr15may.com The message sent out by the worm with the user's account contains a link to a worm copy.

    Payload
    Performs backdoor functionalityWorm:Win32/Koobface.gen!C can perform any of the following actions on the system, depending on commands from a remote server:
  • Download updates to itself or additional malware
  • Send information about the system
  • Retrieve messages to post
  • Start and stop the malware service


  • Analysis by Elda Dimakiling

    Last update 06 July 2009

     

    TOP