Threat behavior
TrojanDropper:Win32/Koobface.N is the detection for the malware dropper component of certain members of the
Win32/Koobface family. It drops and installs the proxy and driver components.
Payload
Drops other Koobface components
TrojanDropper:Win32/Koobface.N drops the following files on the computer:
- <system folder>\drivers\wzs.sys - driver component; on a 32 bit system, the dropped driver is a 32 bit version, which is detected as VirTool:WinNT/Koobface.gen!F; on a 64 bit system, the dropped driver is a 64 bit version, which is detected as VirTool:Win64/Koobface.F.
It sets up the proxy component as an auto-start service by creating the following registry entries and subkeys:
Adds value: "servciedll"
With data: "<system folder>\wsz.dll"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\WWZS\Parameters
Adds value: "ImagePath"
With data: "C:\WINDOWS\system32\svchost.exe -k WWZS"
Adds value: "Start"
With data: "2"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\WWZS
Modifies firewall settings
TrojanDropper:Win32/Koobface.N attempts to add a firewall exception to the proxy server component. It also adds a firewall exception for TCP port 8085, and may also attempt to connect to this port to check if the current system is already infected.
Analysis by Chun Feng
Prevention
