This post provides further information about virus removal, W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.(Net-Worm.Win32.Koobface.b (Kaspersky)
A new variant of Koobface.worm has been seen spreading. It creates a copy of itself in %WINDOWS% directory as:
* freddy35.exe
(where %WINDOWS% is the Windows directory e.g. C:\Windows)
It connects to the following domains and IP to send informations and receive command through HTTP request.
* 1dns2[blocked].com
* temp2[blocked].com
* wm210[blocked].com
* open21[blocked].com
* er21[blocked].com
* websrv[blocked].com
* rserve[blocked].org
* 94.142.129.[blocked]
Issued commands includes downloading and installing new malware.
STARTONCE|http://www.blankpages.be/[blocked]/websrvx.exe
START|http://www.blankpages.be/[blocked]/captcha6.exe
STARTONCE|http://www.blankpages.be/[blocked]/kaka.exe
FBTARGETPERPOST|10
RAZLOG|1
#BLACKLABEL
Downloaded malwares are identified as PWS-LDPinch, Generic Downloader.x and Puper.
– Update December 8, 2008 –
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Koobface-Virus-Turns-Up-on-Facebook/?kc=rss
A new variant of Koobface.worm has been seen spreading on Facebook. The worm sends messages with a link like the one shown below, to FaceBook users.
It also downloads malwares(identified as BackDoor-AWQ.b trojan and Generic Backdoor trojan) from the following remote server:
* ipluginu.cn
* currentsession.net
The downloaded malwares further download other malwares.
The following files are added in %WinDir% folder:
* %WinDir% \system32\splm\kbdsapi.dll
* %WinDir% \system32\splm\lmfunit32.dll
* %WinDir% \system32\splm\mcaserv32.dll
* %WinDir% \system32\splm\ncsjapi32.exe
* %WinDir%\system32\nScan\ecls.exe
* %WinDir%\system32\nScan\ekrn.exe
* %WinDir%\system32\nScan\ekrnAmon.dll
* %WinDir%\system32\nScan\ekrnEmon.dll
* %WinDir%\system32\nScan\ekrnEpfw.dll
* %WinDir%\system32\nScan\ekrnScan.dll
* %WinDir%\system32\nScan\em000_32.dat
* %WinDir%\system32\nScan\em001_32.dat
* %WinDir%\validate.inf
The following registry keys are added:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: “%WinDir% \System32\splm\ncsjapi32.exe”
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”
* HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: “2″
* HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: “%WinDir% \System32\splm\ncsjapi32.exe”
* HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”
* HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: “14\8\2008″
Hosts file is modified to disable the compromised machine to access most of security web sites:
such as:
* ar.atwola.com
* my-etrust.com
* trendmicro.com
* norton.com
* nai.com
* sophos.com
* etc
———————————-
W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.
The following files could be created depending on the variant (the filepath is hardcoded):
* C:\WINDOWS\fbtre6.exe
* C:\WINDOWS\mstre6.exe
* C:\WINDOWS\f49f4d98.dat
* C:\WINDOWS\t49f4d98.dat
* C:\WINDOWS\fmark2.dat
* C:\WINDOWS\tmark2.dat
The worm can connect to the following domain to do a HTTP post command and receive instructions to download and execute additional malware files:
- zzzping.com
Facebook users receives links to download the worm via Inbox messages from infected users while links are posted in MySpace commentaries when infected MySpace users log into their account.
Current variant of the worm is faked as a codec installer named as codecsetup.exe. When the worm is ran, a dialog box will pop up with the message “Error installing Codec. Please contact Antivirus support“.
More Info:
Filed under: Computer Help, Virus
[...] How TO Remove W32/Koobface.wormhttp://computerhelpandsupport.wordpress.com/2009/04/10/how-to-remove-w32koobfaceworm/ [...]