Threat Descriptions

Net-Worm:W32/Koobface.ES

Classification

Category :

Malware

Type :

Net-Worm

Platform :

W32

Aliases :

Net-Worm:W32/Koobface.ES, Net-Worm.Win32.Koobface.es, Worm:Win32/Koobface.I (Microsoft), W32/Koobface.worm (McAfee), W32.Koobface.A (Symantec)

Summary

Koobface.ES replicates by sending messages to the friends listed in an infected user's account with a social networking website. The malicious message includes a link to a webpage/website where unsuspecting visitors can be infected in turn. Major social networking websites are targeted by this worm, including Facebook, MySpace, Friendster and Livejournal.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Activity

On its first execution, the worm installs itself by copying itself to the Windows directory. During the execution, a message box is displayed, which appears as:

Next, the worm looks for and connects to a remote active domain server and starts looking for cookies related to major social networking websites (see the list below). If any relevant cookies are found, the worm will hijack the user's account on the social networking site, in order to go through the respective site and search for the user's friends/contacts.Once information related to the user's friends has been compiled, the worm sends this information to a server, where the data is used to create a message. The message is then sent to the user's friends.The generated message contains a link to a webpage where a copy of the worm can be downloaded. For example, the webpage may be a Fake YouTube page, which comes complete with fake comments. The user name and picture is pulled from the social networking site. Clicking anywhere on the page will download a copy of the worm. Most social networking websites will use Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA) to ensure that actual people, rather than computer programs, are creating user accounts. To circumvent the CAPTCHA security, the worm sends the CAPTCHA image back to its servers to be resolved. The answer is then sent back.

Installation

During installation, the worm creates a copy of itself in the Windows directory, using the file name freddy35.exe. It also drops a batch file, whose purpose is to delete the worm's own files after its first execution.The worm also makes a number of registry changes. One of the changes made displays MIME (type xhtml+xml without prompt).The worm needs to communicate with a server to function. A few possible server domains the worm can connect to are:

  • 1dns210109 .com
  • temp210108 .com
  • wm21012009 .com
  • open21012009 .com
  • er21012009 .com

The server is where the following functions are carried out:

  • Search for cookies to social networking sites
  • Resolves CAPTCHA images
  • Generates messages
  • Send further commands to the worm

During its communication with the server, the worm searches for cookies of these sites:

  • Facebook
  • Hi5
  • Friendster
  • Myyearbook
  • Myspace
  • Bebo
  • Tagged
  • Netlog
  • Fubar
  • Livejournal

The server can send the following commands:

  • START
  • RESET
  • SIMPLEMODE
  • DOMAIN_B
  • DOMAIN_C
  • DOMAIN_M
  • EXIT
  • FBSHAREURL
  • FBTARGETPERPOST
  • INVITE
  • LINK_B
  • LINK_C
  • LINK_M
  • TEXT_B
  • TEXT_C
  • TEXT_M
  • TITLE_B
  • TITLE_M
  • UPDATE
  • RAZLOG
  • RCAPTCHA
  • SHARELINK
  • BASEDOMAIN
  • STARTONCE
  • WAIT
  • POST

File System Changes

Creates these files:

  • %windir%\freddy35.exe

Registry Modifications

Creates these keys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sysftray2 = %windir%\freddy35.exe
  • HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/xhtml+xml CLSID "{25336920-03F9-11cf-8FD0-00AA00686F13}" Extension ".xml" Encoding hex:08,00,00,00,
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml CLSID "{25336920-03F9-11cf-8FD0-00AA00686F13}" Extension ".xml" Encoding hex:08,00,00,00,