Threat behavior
Worm:Win32/Koobface.U is a worm that spreads by posting messages, containing a link to the worm, to the pages of other contacts on social network sites such as Facebook. The worm has backdoor functionality that allows limited remote access and control.
Installation
When it's executed, it may create a mutex to ensure only one instance is running in memory. The mutex name usually has a random number and letter combination such as "xx464dg433xx16". The worm may copy itself to the Windows folder with the following format:
%windir%\<letters><2-digit number>.exe (e.g. "ld16.exe")
The worm drops a cleanup batch script file having a pseudo-random file name to the Windows such as "dxxdv34567.bat". The worm modifies the registry to run its copy at each Windows start.
Adds value: "sysldtray"
With data: "<path and file name of Worm:Win32/Koobface.U>" (for example "C:\Windows\ld16.exe")
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Social networking Web sites
Worm:Win32/Koobface.U checks for the presence of Internet cookies for the following Web sites:
-
hi5.com
-
twitter.com
-
netlog.com
-
facebook.com
-
tagged.com
-
bebo.com
-
myspace.com
Worm:Win32/Koobface uses these Internet cookies to connect to the site and post messages to the list of friends or contacts available in the user's account. Posted messages contain text and a link to a remote Web site. Upon visiting the link, the remote site could contain text stating that the version of Flash Player is outdated and offers an update, which is actually a copy of the worm. The message content is retrieved from remote server and contains a link to a Web page that may download Koobface variants.
Payload
Allows remote access and control
Worm:Win32/Koobface.U could connect to one of the following remote servers and await commands from an attacker:
-
vagilin.com
-
www.eom.it
-
easygiftgiving.com
-
alcorcanecorso.com
-
www.nautiqa.com.sg
-
www.herangi.com
-
almullahotels.com
-
rjupnahaed.kopavogur.is
-
sonavil.com
-
www.jallabyah.com
-
westlafayettelittleleague.org
-
bonniejacobsen.com
-
dentistschoice-fl.com
-
hipspeople.com
-
optimumorg.com
-
www.arketwood.com
-
yourprofit.brevard-fl.com
-
smarahvammur.kopavogur.is
-
www.humlumnet.dk
-
kopahvoll.kopavogur.is
-
www.economy.rags.ru
-
2live.be
Commands received could include any of the following actions:
-
Download updates or arbitrary files
-
Send information about the infected computer
-
Retrieve messages to be posted on contacts' pages
-
Start and stop the worm service
Analysis by Shawn Wang
Prevention
