Win32/Koobface [Threat Name] go to Threat

Win32/Koobface.NCF [Threat Variant Name]

Category worm
Size 28672 B
Detection created Jul 08, 2009
Detection database version 4223
Aliases Net-Worm.Win32.Koobface.bjc (Kaspersky)
  W32.Koobface.D (Symantec)
  Generic.dx!dsb (McAfee)
Short description

Win32/Koobface.NCF is a worm that spreads through social networking sites. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­tag13.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SYsTgray2" = %windir%\­tag13.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­MIME\­Database\­Content Type\­application/xhtml+xml]
    • "CLSID" = "{25336920-03F9-11cf-8FD0-00AA00686F13}"
    • "Extension" = ".xml"
    • "Encoding" = 08 00 00 00

The following Registry entries are removed:

  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating]
Spreading

The worm checks for Internet connectivity by trying to connect to the following servers:

  • www.google.com

If no Internet connection is detected, the worm deletes itself.


The worm connects to the following addresses:

  • piupiu-110809.com
  • suz11082009.com
  • boomer-110809.com
  • upr200908013.com
  • xtsd20090815.com
  • Mymegadomain03072009.com

The worm searches for cookies with login sessions related to social networking sites.


The following social networking sites are affected:

  • bebo.com
  • facebook.com
  • hi5.com
  • myspace.com
  • netlog.com
  • tagged.com
  • twitter.com

If the worm finds the appropriate cookie, its content is sent to the following remote computer:

  • xtsd20090815.com

The worm then obtains data and instructions for further action.


The worm spreads by sending messages to people that are "friends" with someone in the social network whose computer has already been infected.


The message contains a URL link to a website containing malware.


If the link is clicked a copy of the worm is downloaded. Some examples follow.


Example (1.) :

Example (2.) :

Example (3.) :

Example (4.) :

Other information

The worm creates the following files:

  • x2.dat
  • %windir%\­xdv34567.bat
  • %windir%\­tgmark2.dat
  • c:\­2.reg

The worm may attempt to download files from the Internet. The HTTP protocol is used.


These are stored in the following locations:

  • %windir%\­%filename%
  • %temp%\­%filename%

A string with variable content is used instead of %filename% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.