Worm:Win32/Koobface.gen!C is a generic detection for worms that spread via social networking sites such as Facebook and MySpace.
Installation
Upon execution, Worm:Win32/Koobface.gen!C copies itself to the Windows folder using various file names, as in the following examples:
- %windir%\tag11.exe
- %windir%\romeo14.exe
- %windir%\nl13.exe
It modifies the system registry so that its dropped copy runs every time Windows starts, for example:
Adds value: "systray"
With data: "%windir%\<malware file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Depending on the sample, other values may also be used, such as "sysftray2" or "sysldtray".
Worm:Win32/Koobface.gen!C may also drop a Batch file with a random file name in the system, which is designed to delete the currently-running worm copy once it has finished with its malicious routines.
It also modifies the following registry entry, if it exists:
Modifies value: "CLSID"
With data: "{25336920-03f9-11cf-8fd0-00aa00686f13}"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
Spreads via...
Social networking Web sites
Worm:Win32/Koobface.gen!C checks for cookies for the following social networking sites:
- bebo.com
- facebook.com
- friendster.com
- hi5.com
- myspace.com
It then uses these cookies to connect to the Web site and post messages to the user's friends, The message contains data retrieved by this worm from a remote server, which has the following format:
For example:
nua20090528.com
supersearch20090330.com
wnames1404.com
fdns6mar09.info
er20090515.com
upr15may.com
The message sent out by the worm with the user's account contains a link to a worm copy.
Payload
Performs backdoor functionality
Worm:Win32/Koobface.gen!C can perform any of the following actions on the system, depending on commands from a remote server:
- Download updates to itself or additional malware
- Send information about the system
- Retrieve messages to post
- Start and stop the malware service
Analysis by Elda Dimakiling
