Home / malwarePDF  

Net-Worm:W32/Koobface.ES


First posted on 05 March 2009.
Source: SecurityHome

Aliases :

There are no other names known for Net-Worm:W32/Koobface.ES.

Explanation :

A type of worm that replicates by sending complete, independent copies of itself over a network.

right]Koobface.ES replicates by sending fake messages to the friends listed in an infected user's account with a social networking website. The fake message includes a link to a webpage/website where unsuspecting visitors can be infected in turn.

Major social networking websites are targeted by this worm, including Facebook, MySpace, Friendster and Livejournal.

Activity

On its first execution, the worm installs itself by copying itself to the Windows directory. During the execution, a message box is displayed, which appears as:



Next, the worm looks for and connects to a remote active domain server and starts looking for cookies related to major social networking websites (see list below). If any relevant cookies are found, the worm will hijack the user's account with the social networking site, in order to go through the respective site and search for the user's friends.

Once information related to the user's friends has been compiled, the worm sends this information to a server, where the data is used to create a message. The message is then sent to the user's friends.

The generated message contains a link to a webpage where a copy of the worm can be downloaded. For example, the webpage may be a Fake Youtube page, which comes complete with fake comments. The user name and picture is pulled from the social networking site. Clicking anywhere on the page will download a copy of the worm.

Most social networking websites will use Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA) to ensure that actual people, rather than computer programs, are creating user accounts. To circumvent the CAPTCHA security, the worm sends the CAPTCHA image back to its servers to be resolved. The answer is then sent back.

Installation

During installation, the worm creates a copy of itself in the Windows directory, using the file name freddy35.exe. It also drops a batch file, whose purpose is to delete the worm's own files after its first execution.

The worm also makes a number of registry changes. One of the changes made displays MIME (type xhtml+xml without prompt).

The worm needs to communicate with a server to function. A few possible server domains the worm can connect to are :

  • 1dns210109.com
  • temp210108.com
  • wm21012009.com
  • open21012009.com
  • er21012009.com

The server is where the following functions are carried out :

  • Search for cookies to social networking sites
  • Resolves CAPTCHA images
  • Generates messages
  • Send further commands to the worm

During its communication with the server, the worm searches for cookies of these sites:

  • Facebook
  • Hi5
  • Friendster
  • Myyearbook
  • Myspace
  • Bebo
  • Tagged
  • Netlog
  • Fubar
  • Livejournal

The server can send the following commands :

  • START
  • RESET
  • SIMPLEMODE
  • DOMAIN_B
  • DOMAIN_C
  • DOMAIN_M
  • EXIT
  • FBSHAREURL
  • FBTARGETPERPOST
  • INVITE
  • LINK_B
  • LINK_C
  • LINK_M
  • TEXT_B
  • TEXT_C
  • TEXT_M
  • TITLE_B
  • TITLE_M
  • UPDATE
  • RAZLOG
  • RCAPTCHA
  • SHARELINK
  • BASEDOMAIN
  • STARTONCE
  • WAIT
  • POST

Last update 05 March 2009

 

TOP