Net-Worm:W32/Koobface.ES

Activity

On its first execution, the worm installs itself by copying itself to the Windows directory. During the execution, a message box is displayed, which appears as:

Next, the worm looks for and connects to a remote active domain server and starts looking for cookies related to major social networking websites (see the list below). If any relevant cookies are found, the worm will hijack the user's account on the social networking site, in order to go through the respective site and search for the user's friends/contacts.Once information related to the user's friends has been compiled, the worm sends this information to a server, where the data is used to create a message. The message is then sent to the user's friends.The generated message contains a link to a webpage where a copy of the worm can be downloaded. For example, the webpage may be a Fake YouTube page, which comes complete with fake comments. The user name and picture is pulled from the social networking site. Clicking anywhere on the page will download a copy of the worm. Most social networking websites will use Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA) to ensure that actual people, rather than computer programs, are creating user accounts. To circumvent the CAPTCHA security, the worm sends the CAPTCHA image back to its servers to be resolved. The answer is then sent back.

Installation

During installation, the worm creates a copy of itself in the Windows directory, using the file name freddy35.exe. It also drops a batch file, whose purpose is to delete the worm's own files after its first execution.The worm also makes a number of registry changes. One of the changes made displays MIME (type xhtml+xml without prompt).The worm needs to communicate with a server to function. A few possible server domains the worm can connect to are:

• 1dns210109 .com
• temp210108 .com
• wm21012009 .com
• open21012009 .com
• er21012009 .com

The server is where the following functions are carried out:

• Search for cookies to social networking sites
• Resolves CAPTCHA images
• Generates messages
• Send further commands to the worm

During its communication with the server, the worm searches for cookies of these sites:

• Facebook
• Hi5
• Friendster
• Myyearbook
• Myspace
• Bebo
• Tagged
• Netlog
• Fubar
• Livejournal

The server can send the following commands:

• START
• RESET
• SIMPLEMODE
• DOMAIN_B
• DOMAIN_C
• DOMAIN_M
• EXIT
• FBSHAREURL
• FBTARGETPERPOST
• INVITE
• LINK_B
• LINK_C
• LINK_M
• TEXT_B
• TEXT_C
• TEXT_M
• TITLE_B
• TITLE_M
• UPDATE
• RAZLOG
• RCAPTCHA
• SHARELINK
• BASEDOMAIN
• STARTONCE
• WAIT
• POST

File System Changes

Creates these files:

• %windir%\freddy35.exe

Registry Modifications

Creates these keys:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sysftray2 = %windir%\freddy35.exe
• HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/xhtml+xml CLSID "{25336920-03F9-11cf-8FD0-00AA00686F13}" Extension ".xml" Encoding hex:08,00,00,00,
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml CLSID "{25336920-03F9-11cf-8FD0-00AA00686F13}" Extension ".xml" Encoding hex:08,00,00,00,