Win32/Koobface [Threat Name] go to Threat
Win32/Koobface.NBH [Threat Variant Name]
| Category | worm |
| Size | 49152 B |
| Aliases | Net-Worm.Win32.Koobface.bno (Kaspersky) |
| W32.Koobface.D (Symantec) | |
| W32/Koobface.worm.gen.g (McAfee) |
Short description
Win32/Koobface.NBH is a worm that is spread via links in social networking sites.
Installation
When executed, the worm copies itself into the following location:
- %windir%\pp12.exe
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "pp" = "%windir%\pp12.exe"
The following Registry entries are removed:
- [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating]
The worm may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "EnabledV8" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "ShownServiceDownBalloon" = 0
Other information
The worm checks for Internet connectivity by trying to connect to the following servers:
- www.google.com
The worm acquires data and commands from a remote computer or the Internet.
The worm connects to the following addresses:
- anlaegkp.dk
- aricosenza.it
- captchastop.com
- capthcabreak.com
- mymegadomain03072009.com
- rtrans.spb.ru
- stjosephhousesales.com
- sttmedia.se
The user may be redirected to one of the following Internet web sites:
- http://promservice.sky.ru/.sys/%removed%
- http://trinityonline.biz/.sys/%removed%
The worm uses techniques to entice users to download the "Windows Web Security" application.
The "Windows Web Security" displays warnings about possible problems detected on the compromised computer that need to be fixed.
Some examples follow.
The problems/threats are fake.
The worm creates the following files:
- %windir%\fdgg34353edfgdfdf
- dxxdv34567.bat
The worm can download a file from the Internet.
The file is then saved as %temp%\grrpd_1023.exe and executed.
The HTTP protocol is used.