Home / malwarePDF  

Worm:Win32/Koobface.A


First posted on 24 April 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Koobface.A is also known as Also Known As:Net-Worm.Win32.Koobface.b (Kaspersky).

Explanation :

Worm:Win32/Koobface.A is a worm that may spread when a user logs into their profile account on the Internet social network sites 'MySpace' or 'Facebook'.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:
    Value: systray
    • With data: "%windir%/<worm file name>"In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
  • The display of the following messages:



    • Worm:Win32/Koobface.A is a worm that may spread when a user logs into their profile account on the Internet social network sites 'MySpace' or 'Facebook'.

    Installation
    If this worm is executed, Win32/Kooface may drop a randomly named file into the Windows folder, such as in the following examples: %windir%fbtre6.exe
    %windir%mstre5.exe The worm may drop a cleanup Batch script file also having a random file name to the root of the local drive, as in this example: c:42123.bat The worm may execute the cleanup Batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start. Adds value: systrayWith data: "%windir%/<worm file name>"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSpreads Via…MySpace and FaceBook ContactsWorm:Win32/Koobface.A searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites MySpace and FaceBook (myspace.com and facebook.com respectively). If the worm determines that neither of these sites are visited, the worm may delete itself and may display following message box: The worm then connects to the Web site 'zzzping.com' in order to download and execute new malware. The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.

    Payload
    Removes Audible Navigation AlertsWin32/Koobface may delete a registry subkey that references navigation sounds such as the 'click' sound when navigating from one Web site to another. The following subkey may be deleted by the worm: HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigating

    Analysis by Vitaly Zaytsev

    Last update 24 April 2009

     

    TOP

    Malware :

    Family: