Content
W32/Koobface.worm.gen.e
- Type
- Virus
- SubType
- Generic Worm
- Discovery Date
- 06/07/2009
- Length
- Minimum DAT
- 5639 (06/07/2009)
- Updated DAT
- 5799 (11/11/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 06/07/2009
- Description Modified
- 07/14/2009 1:06 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update July 14, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/10/twitter_koobface_spread/
The W32/Koobface.worm.gen.e spreads by sending bogus tweets containing a link to a video but actually pointing towards a link with exploit code that poses as a video codec. Users who follow this link and install the "codec" will be infected with Koobface worm
Symptoms
The worm further downloads other malwares in the infected machine
%WinDir%\freddy<RANDOM NUMBER>.exe
%WinDir%\ld12.exe
%WinDir%\nbron_<RANDOM NUMBER>.exe
C:\Program Files\captcha<RANDOM NUMBER>.dll
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\<RANDOM NAME FOLDER>\captcha<RANDOM NUMBER>.exe
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\<RANDOM NAME FOLDER>\fb. <RANDOM NUMBER>.exe
The following registry keys are created
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Deleted Device IDs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Deleted Device IDs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Captcha<RANDOM NUMBER>" = "rundll "C:\Program Files\captcha<RANDOM NUMBER>.dll",captcha"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"sysldtray" = "%windir%\ld12.exe"
It connects to the following domains
tri[blocked].com
upload.[blocked]-multimedia.be
[blocked]-cgpay.net
upr[blocked].com
Method of Infection
The worm spreads by sending bogus tweets containing a link to a video but actually pointing to a file which will be downloaded and installed
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
-- Update July 14, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/10/twitter_koobface_spread/
The W32/Koobface.worm.gen.e is a variant of Koobface worm, which previously infected users of Facebook and MySpace, is spreading among users of micro-blogging website Twitter
Characteristics
Characteristics -
-- Update July 14, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/07/10/twitter_koobface_spread/
The W32/Koobface.worm.gen.e spreads by sending bogus tweets containing a link to a video but actually pointing towards a link with exploit code that poses as a video codec. Users who follow this link and install the "codec" will be infected with Koobface worm
Symptoms
Symptoms -
The worm further downloads other malwares in the infected machine
%WinDir%\freddy<RANDOM NUMBER>.exe
%WinDir%\ld12.exe
%WinDir%\nbron_<RANDOM NUMBER>.exe
C:\Program Files\captcha<RANDOM NUMBER>.dll
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\<RANDOM NAME FOLDER>\captcha<RANDOM NUMBER>.exe
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\<RANDOM NAME FOLDER>\fb. <RANDOM NUMBER>.exe
The following registry keys are created
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Deleted Device IDs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Deleted Device IDs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Captcha<RANDOM NUMBER>" = "rundll "C:\Program Files\captcha<RANDOM NUMBER>.dll",captcha"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"sysldtray" = "%windir%\ld12.exe"
It connects to the following domains
tri[blocked].com
upload.[blocked]-multimedia.be
[blocked]-cgpay.net
upr[blocked].com
Method of Infection
Method of Infection -
The worm spreads by sending bogus tweets containing a link to a video but actually pointing to a file which will be downloaded and installed
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
