Win32/Koobface [Threat Name] go to Threat

Win32/Koobface.NBH [Threat Variant Name]

Category worm
Size 49152 B
Detection created May 25, 2009
Signature database version 4101
Aliases Net-Worm.Win32.Koobface.bno (Kaspersky)
  W32.Koobface.D (Symantec)
  W32/Koobface.worm.gen.g (McAfee)
Short description

Win32/Koobface.NBH is a worm that is spread via links in social networking sites.


When executed, the worm copies itself into the following location:

  • %windir%\­pp12.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "pp" = "%windir%\­pp12.exe"

The following Registry entries are removed:

  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating]

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "EnabledV8" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "ShownServiceDownBalloon" = 0
Other information

The worm checks for Internet connectivity by trying to connect to the following servers:


The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:


The user may be redirected to one of the following Internet web sites:


The worm uses techniques to entice users to download the "Windows Web Security" application.

The "Windows Web Security" displays warnings about possible problems detected on the compromised computer that need to be fixed.

Some examples follow.

The problems/threats are fake.

The worm creates the following files:

  • %windir%\­fdgg34353edfgdfdf
  • dxxdv34567.bat

The worm can download a file from the Internet.

The file is then saved as %temp%\grrpd_1023.exe and executed.

The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.