TrojanProxy:Win32/Koobface.gen!J is the generic detection for a DLL component of the
Win32/Koobface family. It is installed as a system service and redirects the browser to an attacker-controlled server when certain legitimate Web sites are accessed.
Installation
TrojanProxy:Win32/Koobface.gen!J may be dropped and installed by other components of the Win32/Koobface, for example,
TrojanDropper:Win32/Koobface.E. The dropped file name and location may differ from example to example. One observed example is dropped as the following:
%SystemRoot%\system32\erokosvc.dll
It may also be installed as a system service, for example with the name 'elantos'.
TrojanProxy:Win32/Koobface.gen!J attempts to create system service for its device driver component if the device driver is not running. One observed example is the following registry modification:
Service Name: "birokod"
Service Description: "Windows SBP-2 Menu bcveServ Security Shell Change DHCP"
Image Path: "%SystemRoot%\system32\drivers\mfoko.sys"
Payload
Redirects network traffic
TrojanProxy:Win32/Koobface.gen!J listens in on a port (for example, 8085) to communicate with the device driver Koobface component, such as
VirTool:WinNT/KoobFace.E. It redirects all traffic that comes from or goes to ports 53 and 80 to this port.
Redirects Web site access
TrojanProxy:Win32/Koobface.gen!J works as a proxy to redirect access to certain Web sites. Whenever the user attempts to browse certain legitimate Web sites, the trojan loads an attacker-controlled server instead.
Web sites that contain the following strings are made inaccessible to the user:
aolcdn.com
ask
bing
gmodules.com
google
googleadservices
img.youtube.com
metacafe.com
sa.aol.com
search.aol
search.live
search.msn
search.mywebsearch
search.yahoo
sugg.search
toolbarqueries
yahooapis.com
yimg.com
Instead, the browser resolves to an attacker-controlled remote server such as the following:
85.13.236.154
Connects to a remote server
TrojanProxy:Win32/Koobface.gen!J reports infection of the system to a remote server, such as '85.13.236.154'.
Additional information
If its files are deleted or moved, TrojanProxy:Win32/Koobface.gen!J attempts to recreate its dropped files and registry entries to ensure that it is still capable of running in the system.
Analysis by Shawn Wang
