Home / malware Worm:Win32/Koobface.I
First posted on 07 March 2009.
Source: SecurityHomeAliases :
Worm:Win32/Koobface.I is also known as Also Known As:Win32/Koobface!generic (CA), Win32/Koobface.NAO (ESET), Net-Worm.Win32.Koobface.dq (Kaspersky), W32/Koobfa-Gen (Sophos).
Explanation :
Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other the social networking Web sites.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following files:
%windir%olivar31.exe
%windir%olivar30.exe
%windir%ld01.exe
%windir%che08.exe
%windir%freddy35.exeThe presence of the following registry modifications:
Added value: "sysftray2"
With data: "%windir%olivar19.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentversionRun
Added value: "sysldtray"
With data: "%windir%ld01.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunYou received a message from a friend in Facebook, Myspace, Friendster, or any other popular Web site that links to an untrusted Web site prompting you to download an executable file.
Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other the social networking Web sites.
Installation
Upon execution, Win32/Kooface.I may copy itself to the Windows folder, as in the following examples:%windir%olivar31.exe %windir%olivar30.exe %windir%ld01.exe %windir%che08.exe %windir%freddy35.exe It drops a cleanup Batch script file having a pseudo-random file name to the root of the local drive, as in this example:C:355674543.bat When run, the Batch script removes the originally running worm. Win32/Koobface.I also drops the following log file:C:social<date>.log It modifies the system registry so that it automatically runs every time Windows starts, for example: Adds value: "sysftray2"
With data: "%windir%olivar19.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentversionRun Adds value: "sysldtray"
With data: "%windir%ld01.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSpreads Via... Social Networking Web SitesWorm:Win32/Koobface.I checks for cookies for the following the popular social networking sites:facebook.com friendster.com hi5.com myspace.com bebo.com It then uses the found cookies to connect to the site and post messages to the list of friends available in the user's account. The message contains data retrieved by this worm from a remote server, some of which are the following:1dns210109.com temp210108.com wm21012009.com open21012009.com 5824125537.com The messages use various social engineering techniques to entice the user's friends to click on the link. Some of the messages it may display are the following: Title: W.O.W.
Text: ooPS. looks like i found your private video on net.
Link: http://to<REMOVED>.com/go/be.php?chd68f3=d41d8cd98f00b204e9800998ecf8427e Title: Thiss is videeo wwith yyou. YYou're doingg soomething fuunny thhere.
Text: Hallo.
Link: http://files.<REMOVED>.com/ram<REMOVED>/youtube/video.gif?9cfb5683ch=d41d8cd98f00b204e9800998ecf8427e Title: wow
Text: Super video with you.
Link: http://f<REMOVED.com/go/fr.php A sample message received from Friendster is the following: Clicking on the malicious link leads to a Web site that purports to load a video. The user then gets a message that the video cannot be loaded without installing an update of Adobe Flash Player. The offered download is not actually Adobe Flash Player but is a copy of this worm.
Analysis by Elda DimakilingLast update 07 March 2009