Home / malwarePDF  

TrojanProxy:Win32/Koobface.gen!A


First posted on 27 March 2009.
Source: SecurityHome

Aliases :

TrojanProxy:Win32/Koobface.gen!A is also known as Also Known As:W32/Smalltroj.LVYW (Norman), Win32/VMalum.EVBB (CA), Trojan-Proxy.Win32.Small.zl (Kaspersky), Generic.dx (McAfee).

Explanation :

TrojanProxy:Win32/Koobface.gen!A is a component of the Win32/Koobface family. Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace. This particular component appears to be used for redirecting the results of user-initiated searches with several popular search engines, possibly in order to generate 'pay per click' advertising revenue.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %SystemRoot%system32
    fr.dll
    %SystemRoot%system32
    fr.assembly
    %SystemRoot%system32
    fr.mpref
    %SystemRoot%system32
    fr.gpref
  • The presence of the following registry modifications:
    Adds value: "nfr"
    With data: "rundll32.exe nfr.dll,ServiceMain /pid=6004"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer = http=localhost:7070
    HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer = http=localhost:7070
    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyOverride = *.local;<local>
    HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyOverride = *.local;<local>
    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable = 0x01
    HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable = 0x01
  • The presence of the following additional lines to the Mozilla Firefox configuration file 'prefs.js':
    user_pref("network.proxy.http", "localhost");
    user_pref("network.proxy.http_port", 7070);
    user_pref("network.proxy.type", 1);


    • TrojanProxy:Win32/Koobface.gen!A is a component of the Win32/Koobface family. Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace. This particular component appears to be used for redirecting the results of user-initiated searches with several popular search engines, possibly in order to generate 'pay per click' advertising revenue.

    Installation
    When executed TrojanProxy:Win32/Koobface.gen!A drops the following file:
  • %SystemRoot%system32
    fr.dll
    • and modifies the registry to install this DLL:Adds value: "nfr"
    With data: "rundll32.exe nfr.dll,ServiceMain /pid=6004"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun

    Payload
    Modifies Security SettingsTrojanProxy:Win32/Koobface.gen!A adds a program-based firewall exception for the file that was previously dropped - i.e. %SystemRoot%System32
    undll32.exe. It also adds a port-based firewall exception for ports 80 and 7070. Modifies Proxy SettingsTrojanProxy:Win32/Koobface.gen!A attempts to modify proxy settings for Internet Explorer and Firefox. It configures the WinHTTP proxy-server setting for http to "localhost:7070" via the following registry modifications:HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer = http=localhost:7070
    HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer = http=localhost:7070
    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyOverride = *.local;<local>
    HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyOverride = *.local;<local>
    HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable = 0x01
    HKLMSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable = 0x01 It also attempts to modify Mozilla Firefox settings via the configuration file 'prefs.js'. The following three lines are added:
    user_pref("network.proxy.http", "localhost");
    user_pref("network.proxy.http_port", 7070);
    user_pref("network.proxy.type", 1); Mediates/Redirects Search ResultsThe DLL monitors search queries made to the search engines of Google, Yahoo, MSN / Live Search, AOL and Ask. The results of searches are redirected according to directives supplied from a control server located at IP 85.13.236.154.Additional InformationThe DLL creates the mutex 'NFRMUTEX'. TrojanProxy:Win32/Koobface.gen!A may created the following data files:
  • %SystemRoot%system32
    fr.assembly
  • %SystemRoot%system32
    fr.mpref
  • %SystemRoot%system32
    fr.gpref


    • Analysis by Scott Molenkamp

    Last update 27 March 2009

     

    TOP

    Malware :

    Family: