TrojanProxy:Win32/Koobface.gen!A is a component of the Win32/Koobface family. Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
This particular component appears to be used for redirecting the results of user-initiated searches with several popular search engines, possibly in order to generate 'pay per click' advertising revenue.
When executed TrojanProxy:Win32/Koobface.gen!A drops the following file:
and modifies the registry to install this DLL:
Adds value: "nfr"
With data: "rundll32.exe nfr.dll,ServiceMain /pid=6004"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Modifies Security Settings
TrojanProxy:Win32/Koobface.gen!A adds a program-based firewall exception for the file that was previously dropped - i.e. %SystemRoot%\System32\rundll32.exe. It also adds a port-based firewall exception for ports 80 and 7070.
Modifies Proxy Settings
TrojanProxy:Win32/Koobface.gen!A attempts to modify proxy settings for Internet Explorer and Firefox.
It configures the WinHTTP proxy-server setting for http to "localhost:7070" via the following registry modifications:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = http=localhost:7070
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = http=localhost:7070
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride = *.local;<local>
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride = *.local;<local>
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x01
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = 0x01
It also attempts to modify Mozilla Firefox settings via the configuration file 'prefs.js'. The following three lines are added:
Mediates/Redirects Search Results
The DLL monitors search queries made to the search engines of Google, Yahoo, MSN / Live Search, AOL and Ask. The results of searches are redirected according to directives supplied from a control server located at IP 18.104.22.168.
The DLL creates the mutex 'NFRMUTEX'.
TrojanProxy:Win32/Koobface.gen!A may created the following data files:
Analysis by Scott Molenkamp