Worm:Win32/Koobface.P is a worm that spreads by posting messages, containing a link to the worm, to the pages of other contacts on social network sites such as Facebook. This variant of Koobface may arrive posing as an installer for the Internet communications application "Skype".
Installation
When it's executed, it may create a mutex to ensure only one instance is running in memory. The mutex name usually has a random number and letter combination such as "xx464dg433xx15". The worm may copy itself to the Windows folder usually with following format:
%windir%\<letters><2-digit number>.exe (e.g. "ld15.exe")
The worm drops a cleanup batch script file having a pseudo-random file name to the Windows folder as in this example:
%windir%\dxxdv34567.bat
The worm modifies the registry to run its copy at each Windows start.
Adds value: "sysldtray"
With data: "<path and file name of Worm:Win32/Koobface.P>" (e.g. "C:\Windows\ld15.exe")
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Social networking Web sites
Worm:Win32/Koobface.P checks for the presence of Internet cookies for the following Web sites:
-
facebook.com
-
netlog.com
-
twitter
-
bebo.com
-
hi5.com
-
tagged.com
The malware uses these Internet cookies to connect to the site and post messages to the list of friends or contacts available in the user's account. Posted messages contain text and a link to a remote Web site. Upon visiting the link, the remote site could contain text stating that the version of Flash Player is outdated and offers an update, which is actually a copy of the worm.
Payload
Allows remote access and control
Worm:Win32/Koobface.P could connect to a remote server and wait for commands from an attacker that could include any of the following actions:
-
Download updates
-
Send information about the infected computer
-
Retrieve messages to be posted on contacts' pages
-
Start and stop the worm service
Changes Windows settings
The worm may disable the elevation prompt for the Administrator account users by modifying registry data.
Modifies value: "ConsentPromptBehaviorAdmin"
With data: "0"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
By modifying this value, the worm turns off displaying the User Account Control (UAC) prompt.
Additional Information
The default setting for the value "ConsentPromptBehaviorAdmin" is "2". Although the worm may disable displaying the UAC prompt, Windows Security Center may warn the user that UAC is turned off.
Analysis by Andrei Florin Saygo
