TrojanProxy:Win32/Koobface.gen!G is the generic detection for a DLL component of the
Win32/Koobface family. It is installed as a system service and redirects the browser to an attacker-controlled server when certain legitimate Web sites are accessed.
Installation
TrojanProxy:Win32/Koobface.gen!G may be dropped and installed by other components of the Win32/Koobface, for example,
TrojanDropper:Win32/Koobface.E. The dropped file name and location may differ from example to example. One observed example is dropped as the following:
<Program Files>\ddnsfilter\ddnsfilter.dll
It may also be installed as a system service, for example with the name 'ddnsfilter', by creating the following registry entry:
Adds value: "Start"
With data: "2"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\ddnsfilter
Payload
Redirects network traffic
TrojanProxy:Win32/Koobface.gen!G listens in on a port (for example, 8085) to communicate with the device driver Koobface component, such as
VirTool:WinNT/KoobFace.E. It redirects all traffic that comes from or goes to ports 53 and 80 to this port.
Redirects Web site access
TrojanProxy:Win32/Koobface.gen!G works as a proxy to redirect access to certain Web sites. Whenever the user attempts to browse certain legitimate Web sites, the trojan loads an attacker-controlled server instead.
Web sites that contain the following strings are made inaccessible to the user:
aolcdn.com
ask
bing
gmodules.com
google
googleadservices
img.youtube.com
metacafe.com
sa.aol.com
search.aol
search.live
search.msn
search.mywebsearch
search.yahoo
sugg.search
toolbarqueries
yahooapis.com
yimg.com
Instead, the browser resolves to an attacker-controlled remote server such as the following:
85.13.236.154
ze-biz.com
Connects to a remote server
TrojanProxy:Win32/Koobface.gen!G reports infection of the system to a remote server, such as 'ze-biz.com' or '85.13.236.154'.
Additional information
If its files are deleted or moved, TrojanProxy:Win32/Koobface.gen!G attempts to recreate its dropped files and registry entries to ensure that it is still capable of running in the system.
Analysis by Shawn Wang