Home / malware VirTool:WinNT/Koobface.gen!F
First posted on 07 September 2010.
Source: SecurityHomeAliases :
VirTool:WinNT/Koobface.gen!F is also known as Rootkit.Win32.Koobface.ef (Kaspersky), Worm/Generic.BQWC (AVG), RKIT/Koobface.EF (Avira), Trojan.Generic.4628711 (BitDefender), Win32/Koobface.TB (CA), VirTool.WinNT.Koobface (Ikarus), Generic.dx!tix (McAfee), W32/Koobface.C.worm (Panda), Trojan.Win32.Generic.52246C44 (Rising AV), Mal/KoobRK-A (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software).
Explanation :
VirTool:WinNT/Koobface.gen!F is a detection for a driver component that is used by other malware to redirect TCP connections to specified addresses.
Top
VirTool:WinNT/Koobface.gen!F is a detection for a driver component that is used by other malware to redirect TCP connections to specified addresses. Installation VirTool:WinNT/Koobface.gen!F may be dropped and installed by other Koobface components. In the wild, TrojanDropper:Win32/Koobface.N has been observed to drop and install it. Typically, it may be dropped as '<system folder>\drivers\wzs.sys'. Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Payload Intercepts network traffic VirTool:WinNT/Koobface.gen!F attaches itself onto the IPv4/IPv6 TCP protocol drivers as a TDI filter driver to intercept the inbound/outbound traffic. The TDI filter driver includes the code to:Deny the connection to a specified remote host/port Deny the connection from a specified remote host/port Redirect the traffic to another host/port In the wild, under the instruction of TrojanProxy:Win32/Koobface.gen!Q, VirTool:WinNT/Koobface.gen!F has been observed to redirect the outgoing HTTP traffic through the Koobface proxy port, for example port 8085.
Analysis by Chun FengLast update 07 September 2010
