Content

W32/Koobface.worm

Type
Virus
SubType
Win32
Discovery Date
08/03/2008
Length
Varies
Minimum DAT
5353 (08/04/2008)
Updated DAT
5478 (12/29/2008)
Minimum Engine
5.2.00
Description Added
08/03/2008
Description Modified
12/08/2008 10:11 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update December 8, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Koobface-Virus-Turns-Up-on-Facebook/?kc=rss

------

---Update on December 03, 2008---

A new variant of Koobface.worm has been seen spreading on Facebook. The worm sends messages with a link like the one shown below, to FaceBook users.

Unsuspecting users may click the link which redirects to a page, a snapshot of which is as follows:

The displayed page contains an ActiveX control, which tells the user that their Flash Player is out of date. An attempt to update links to the Koobface malware file. At the time of testing this file was called "flash_update.exe"

Upon execution of the flash_update.exe file displays an error message but infacts drops and executes a copy of itself  from %WinDir%\bolivar28.exe

The file is a downloader and makes connections to the following domains:

  • y171108.com

  • aibcvienna.org

  • mediabspl.com

---Update on August 11,2008---

The risk assessment of the new variant has been updated to Low-Profiled due to media attention at:

http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html.

 

 

Upon execution, it downloads and opens an innocent picture(saved as %WinDir% \joke.gif) from the following web site:

  • img.123greetings.com

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

 

It also downloads malwares(identified as BackDoor-AWQ.b trojan and Generic Backdoor trojan) from the following remote server:

  • ipluginu.cn
  • currentsession.net

The downloaded malwares further download other malwares.

 

The following files are added in %WinDir% folder:

  • %WinDir% \system32\splm\kbdsapi.dll
  • %WinDir% \system32\splm\lmfunit32.dll
  • %WinDir% \system32\splm\mcaserv32.dll
  • %WinDir% \system32\splm\ncsjapi32.exe
  • %WinDir%\system32\nScan\ecls.exe
  • %WinDir%\system32\nScan\ekrn.exe
  • %WinDir%\system32\nScan\ekrnAmon.dll
  • %WinDir%\system32\nScan\ekrnEmon.dll
  • %WinDir%\system32\nScan\ekrnEpfw.dll
  • %WinDir%\system32\nScan\ekrnScan.dll
  • %WinDir%\system32\nScan\em000_32.dat
  • %WinDir%\system32\nScan\em001_32.dat
  • %WinDir%\validate.inf

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"

Hosts file is modified to disable the compromised machine to access most of security web sites:

such as:

  • ar.atwola.com
  • my-etrust.com
  • trendmicro.com
  • norton.com
  • nai.com
  • sophos.com
  • etc

----------------------------------

W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.

The following files could be created depending on the variant (the filepath is hardcoded):

  • C:\WINDOWS\fbtre6.exe
  • C:\WINDOWS\mstre6.exe
  • C:\WINDOWS\f49f4d98.dat
  • C:\WINDOWS\t49f4d98.dat
  • C:\WINDOWS\fmark2.dat
  • C:\WINDOWS\tmark2.dat

The worm can connect to the following domain to do a HTTP post command and receive instructions to download and execute additional malware files:

  • zzzping.com

Facebook users receives links to download the worm via Inbox messages from infected users while links are posted in MySpace commentaries when infected MySpace users log into their account.

Current variant of the worm is faked as a codec installer named as codecsetup.exe. When the worm is ran, a dialog box will pop up with the message "Error installing Codec. Please contact support".

 

Symptoms

  • Unexpected network connections to the previously mentioned domain

Method of Infection

The worm spreads by fooling users into downloading and running it from links sent via Facebook and MySpace users.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.

Aliases

  • Net-Worm.Win32.Koobface.b (Kaspersky)

Characteristics

Characteristics -

-- Update December 8, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Koobface-Virus-Turns-Up-on-Facebook/?kc=rss

------

---Update on December 03, 2008---

A new variant of Koobface.worm has been seen spreading on Facebook. The worm sends messages with a link like the one shown below, to FaceBook users.

Unsuspecting users may click the link which redirects to a page, a snapshot of which is as follows:

The displayed page contains an ActiveX control, which tells the user that their Flash Player is out of date. An attempt to update links to the Koobface malware file. At the time of testing this file was called "flash_update.exe"

Upon execution of the flash_update.exe file displays an error message but infacts drops and executes a copy of itself  from %WinDir%\bolivar28.exe

The file is a downloader and makes connections to the following domains:

  • y171108.com

  • aibcvienna.org

  • mediabspl.com

---Update on August 11,2008---

The risk assessment of the new variant has been updated to Low-Profiled due to media attention at:

http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html.

 

 

Upon execution, it downloads and opens an innocent picture(saved as %WinDir% \joke.gif) from the following web site:

  • img.123greetings.com

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

 

It also downloads malwares(identified as BackDoor-AWQ.b trojan and Generic Backdoor trojan) from the following remote server:

  • ipluginu.cn
  • currentsession.net

The downloaded malwares further download other malwares.

 

The following files are added in %WinDir% folder:

  • %WinDir% \system32\splm\kbdsapi.dll
  • %WinDir% \system32\splm\lmfunit32.dll
  • %WinDir% \system32\splm\mcaserv32.dll
  • %WinDir% \system32\splm\ncsjapi32.exe
  • %WinDir%\system32\nScan\ecls.exe
  • %WinDir%\system32\nScan\ekrn.exe
  • %WinDir%\system32\nScan\ekrnAmon.dll
  • %WinDir%\system32\nScan\ekrnEmon.dll
  • %WinDir%\system32\nScan\ekrnEpfw.dll
  • %WinDir%\system32\nScan\ekrnScan.dll
  • %WinDir%\system32\nScan\em000_32.dat
  • %WinDir%\system32\nScan\em001_32.dat
  • %WinDir%\validate.inf

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  • HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"

Hosts file is modified to disable the compromised machine to access most of security web sites:

such as:

  • ar.atwola.com
  • my-etrust.com
  • trendmicro.com
  • norton.com
  • nai.com
  • sophos.com
  • etc

----------------------------------

W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.

The following files could be created depending on the variant (the filepath is hardcoded):

  • C:\WINDOWS\fbtre6.exe
  • C:\WINDOWS\mstre6.exe
  • C:\WINDOWS\f49f4d98.dat
  • C:\WINDOWS\t49f4d98.dat
  • C:\WINDOWS\fmark2.dat
  • C:\WINDOWS\tmark2.dat

The worm can connect to the following domain to do a HTTP post command and receive instructions to download and execute additional malware files:

  • zzzping.com

Facebook users receives links to download the worm via Inbox messages from infected users while links are posted in MySpace commentaries when infected MySpace users log into their account.

Current variant of the worm is faked as a codec installer named as codecsetup.exe. When the worm is ran, a dialog box will pop up with the message "Error installing Codec. Please contact support".

 

Symptoms

Symptoms -

  • Unexpected network connections to the previously mentioned domain

Method of Infection

Method of Infection -

The worm spreads by fooling users into downloading and running it from links sent via Facebook and MySpace users.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A