Threat behavior
TrojanProxy:Win32/Koobface.gen!F is a generic detection for the proxy component of the
Win32/Koobface family. It creates a proxy on an infected machine to redirect the users' Web browser.
Installation
TrojanProxy:Win32/Koobface.gen!F may be installed by other components of the Win32/Koobface family. TrojanProxy:Win32/Koobface.gen!F may be present as the following, as observed in one example:
%ProgramFiles%\sfx\sfx.dlL - TrojanProxy:Win32/Koobface.gen!F
The dropped trojan proxy may be present as a system service named "sfx". The trojan proxy may accompany other malware such as the following:
%ProgramFiles%\sfx\sfx.sys - VirTool:WinNT/Koobface
Payload
Establishes Web proxy
TrojanProxy:Win32/Koobface.gen!F listens on a TCP port (e.g. 8085) and communicates with a device driver component (VirTool:WinNT/KoobFace) to redirect all connection attempts to this port. TrojanProxy:Win32/Koobface.gen!F functions as a proxy to redirect user access to certain Web sites using a Web browser to its remote server.
In the wild, the trojan proxy was observed to redirect user access from the following domains to a remote server with the IP address '85.13.236.154':
google
search.yahoo
search.msn
search.live
bing
search.aol
ask
search.mywebsearch
googleadservices
sugg.search
img.youtube.com
yimg.com
metacafe.com
yahooapis.com
aolcdn.com
sa.aol.com
TrojanProxy:Win32/Koobface.gen!F reports its installation back to the predefined remote server (e.g. 85.13.236.154). The trojan proxy will periodically rewrite its installed file and preserve its corresponding registry value and data to ensure the trojan will run when Windows starts.
Modifies value: "Start"
With data: "2"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sfx
Analysis by Shawn Wang
Prevention