Content

W32/Koobface.worm.gen.h

Type
Virus
SubType
Generic Worm
Discovery Date
07/13/2009
Length
Varies
Minimum DAT
5675 (07/13/2009)
Updated DAT
5882 (02/04/2010)
Minimum Engine
5.3.00
Description Added
07/13/2009
Description Modified
10/03/2009 8:19 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update October 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/10/01/facebook_automated_attacks/
--

The worm contains two components, a batch file and a DLL. The batch file, when executed, runs the DLL and then deletes itself.

The DLL component of worm is dropped to C:\Program Files run using rundll32.exe. The DLL makes an outbound UDP connection on port 2572 and waits to download other malware.

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Captcha7: "rundll "C:\Program Files\captcha.dll",captcha"

Symptoms

Presence of the above mentioned files, registry keys, and network activity.

Method of Infection

The worm is downloaded when a user visits a compromised Facebook profile.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The W32/Koobface.worm.gen.h is a variant of Koobface worm, which infects users of Facebook who visit malicious Facebook profiles.

Characteristics

Characteristics -

-- Update October 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/10/01/facebook_automated_attacks/
--

The worm contains two components, a batch file and a DLL. The batch file, when executed, runs the DLL and then deletes itself.

The DLL component of worm is dropped to C:\Program Files run using rundll32.exe. The DLL makes an outbound UDP connection on port 2572 and waits to download other malware.

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Captcha7: "rundll "C:\Program Files\captcha.dll",captcha"

Symptoms

Symptoms -

Presence of the above mentioned files, registry keys, and network activity.

Method of Infection

Method of Infection -

The worm is downloaded when a user visits a compromised Facebook profile.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A