Home / malware Worm:Win32/Koobface.P
First posted on 07 December 2009.
Source: SecurityHomeAliases :
Worm:Win32/Koobface.P is also known as Trojan.Packed.Hiloti.Gen.2 (BitDefender), Win32/Koobface!generic (CA), Win32.HLLW.Facebook.358 (Dr.Web), Net-Worm.Win32.Koobface.cju (Kaspersky), W32/Koobface.worm.gen.o (McAfee), Mal/FakeSpy-A (Sophos), W32.Koobface.A (Symantec), Worm.Koobface.BXH (VirusBuster).
Explanation :
Worm:Win32/Koobface.P is a worm that spreads by posting messages, containing a link to the worm, to the pages of other contacts on social network sites such as Facebook. This variant of Koobface may arrive posing as an installer for the Internet communications application "Skype".
Top
Worm:Win32/Koobface.P is a worm that spreads by posting messages, containing a link to the worm, to the pages of other contacts on social network sites such as Facebook. This variant of Koobface may arrive posing as an installer for the Internet communications application "Skype". InstallationWhen it's executed, it may create a mutex to ensure only one instance is running in memory. The mutex name usually has a random number and letter combination such as "xx464dg433xx15". The worm may copy itself to the Windows folder usually with following format: %windir%\<letters><2-digit number>.exe (e.g. "ld15.exe")
The worm drops a cleanup batch script file having a pseudo-random file name to the Windows folder as in this example: %windir%\dxxdv34567.bat The worm modifies the registry to run its copy at each Windows start. Adds value: "sysldtray"With data: "<path and file name of Worm:Win32/Koobface.P>" (e.g. "C:\Windows\ld15.exe")To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Spreads Via€¦ Social networking Web sitesWorm:Win32/Koobface.P checks for the presence of Internet cookies for the following Web sites:facebook.com netlog.com bebo.com hi5.com tagged.com The malware uses these Internet cookies to connect to the site and post messages to the list of friends or contacts available in the user's account. Posted messages contain text and a link to a remote Web site. Upon visiting the link, the remote site could contain text stating that the version of Flash Player is outdated and offers an update, which is actually a copy of the worm. Payload Allows remote access and controlWorm:Win32/Koobface.P could connect to a remote server and wait for commands from an attacker that could include any of the following actions: Download updates Send information about the infected computer Retrieve messages to be posted on contacts' pages Start and stop the worm service Changes Windows settingsThe worm may disable the elevation prompt for the Administrator account users by modifying registry data. Modifies value: "ConsentPromptBehaviorAdmin"With data: "0"In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System By modifying this value, the worm turns off displaying the User Account Control (UAC) prompt. Additional InformationThe default setting for the value "ConsentPromptBehaviorAdmin" is "2". Although the worm may disable displaying the UAC prompt, Windows Security Center may warn the user that UAC is turned off.
Analysis by Andrei Florin SaygoLast update 07 December 2009