Virus Profile: W32/Koobface.worm

Virus Characteristics

----Update on March 03, 2009---

A new variant of Koobface.worm has been seen spreading. It creates a copy of itself in %WINDOWS% directory as:

• freddy35.exe

(where %WINDOWS% is the Windows directory e.g. C:\Windows)

It connects to the following domains and IP to send informations and receive command through HTTP request.

• 1dns2[blocked].com
• temp2[blocked].com
• wm210[blocked].com
• open21[blocked].com
• er21[blocked].com
• websrv[blocked].com
• rserve[blocked].org
• 94.142.129.[blocked]

Issued commands includes downloading and installing new malware.

STARTONCE|http://www.blankpages.be/[blocked]/websrvx.exe
START|http://www.blankpages.be/[blocked]/captcha6.exe
STARTONCE|http://www.blankpages.be/[blocked]/kaka.exe
FBTARGETPERPOST|10
RAZLOG|1
#BLACKLABEL

Downloaded malwares are identified as PWS-LDPinch, Generic Downloader.x and Puper.

-- Update December 8, 2008 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Koobface-Virus-Turns-Up-on-Facebook/?kc=rss

---Update on December 03, 2008---

A new variant of Koobface.worm has been seen spreading on Facebook. The worm sends messages with a link like the one shown below, to FaceBook users.

Unsuspecting users may click the link which redirects to a page, a snapshot of which is as follows:

The displayed page contains an ActiveX control, which tells the user that their Flash Player is out of date. An attempt to update links to the Koobface malware file. At the time of testing this file was called "flash_update.exe"

Upon execution of the flash_update.exe file displays an error message but infacts drops and executes a copy of itself  from %WinDir%\bolivar28.exe

The file is a downloader and makes connections to the following domains:

• y171108.com
• aibcvienna.org
• mediabspl.com

---Update on August 11,2008---

The risk assessment of the new variant has been updated to Low-Profiled due to media attention at:

http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html.

Upon execution, it downloads and opens an innocent picture(saved as %WinDir% \joke.gif) from the following web site:

• img.123greetings.com

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It also downloads malwares(identified as BackDoor-AWQ.b trojan and Generic Backdoor trojan) from the following remote server:

• ipluginu.cn
• currentsession.net

The downloaded malwares further download other malwares.

The following files are added in %WinDir% folder:

• %WinDir% \system32\splm\kbdsapi.dll
• %WinDir% \system32\splm\lmfunit32.dll
• %WinDir% \system32\splm\mcaserv32.dll
• %WinDir% \system32\splm\ncsjapi32.exe
• %WinDir%\system32\nScan\ecls.exe
• %WinDir%\system32\nScan\ekrn.exe
• %WinDir%\system32\nScan\ekrnAmon.dll
• %WinDir%\system32\nScan\ekrnEmon.dll
• %WinDir%\system32\nScan\ekrnEpfw.dll
• %WinDir%\system32\nScan\ekrnScan.dll
• %WinDir%\system32\nScan\em000_32.dat
• %WinDir%\system32\nScan\em001_32.dat
• %WinDir%\validate.inf

The following registry keys are added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
• HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
• HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
• HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
• HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"

Hosts file is modified to disable the compromised machine to access most of security web sites:

such as:

• ar.atwola.com
• my-etrust.com
• trendmicro.com
• norton.com
• nai.com
• sophos.com
• etc

----------------------------------

W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.

The following files could be created depending on the variant (the filepath is hardcoded):

• C:\WINDOWS\fbtre6.exe
• C:\WINDOWS\mstre6.exe
• C:\WINDOWS\f49f4d98.dat
• C:\WINDOWS\t49f4d98.dat
• C:\WINDOWS\fmark2.dat
• C:\WINDOWS\tmark2.dat

The worm can connect to the following domain to do a HTTP post command and receive instructions to download and execute additional malware files:

• zzzping.com

Facebook users receives links to download the worm via Inbox messages from infected users while links are posted in MySpace commentaries when infected MySpace users log into their account.

Current variant of the worm is faked as a codec installer named as codecsetup.exe. When the worm is ran, a dialog box will pop up with the message "Error installing Codec. Please contact support".