Removing Win32 KoobFace worm/malware
Summary
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Symptoms
System Changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
The display of the following messages:
ERROR "ERROR INSTALLING CODEC. PLEASE CONTACT SUPPORT"
Technical Information
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Installation
If this worm is executed, Win32/Koobface copies itself to the Windows folder as in the following examples:
%windir%\fbtre6.exe
%windir%\mstre5.exe
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
The worm may drop a cleanup Batch script file also having a random file name to the root of the local drive, as in this example:
c:\42123.bat
The worm may execute the cleanup batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start.
Adds value: systray
With data: "%windir%/"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Depending on the variant, other values are created instead such as "sysftray2" or "sysldtray".
Spreads Via…
MySpace and FaceBook Contacts
Win32/Koobface searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites including the following:
facebook.com
friendster.com
hi5.com
myspace.com
bebo.com
In some variants of Win32/Koobface, if the worm determines that none of these sites are visited, the worm may delete itself and may display following message box:
In the wild, the worm may connect to the Web site 'zzzping.com' to download and execute malware.
The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.
Payload
Removes Audible Navigation Alerts
Some variants of Win32/Koobface may delete a registry subkey that references navigation sounds such as the 'click' sound when navigating from one Web site to another. The following subkey may be deleted by the worm:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
Summary
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Symptoms
System Changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
The display of the following messages:
ERROR "ERROR INSTALLING CODEC. PLEASE CONTACT SUPPORT"
Technical Information
Win32/Koobface is a multi-component family of malware used to compromise machines and direct them in various ways at the attacker's will. This could include using the affected machine to distribute additional malware, generate 'pay per click' advertising revenue, steal sensitive data, break captchas, and subvert the affected user's online experience. Its components are varied, but include a worm that spreads by utilizing social networking sites such as Facebook and MySpace.
Installation
If this worm is executed, Win32/Koobface copies itself to the Windows folder as in the following examples:
%windir%\fbtre6.exe
%windir%\mstre5.exe
%windir%\bolivar19.exe
%windir%\bolivar31.exe
%windir%\bolivar30.exe
%windir%\ld01.exe
%windir%\che08.exe
%windir%\freddy35.exe
The worm may drop a cleanup Batch script file also having a random file name to the root of the local drive, as in this example:
c:\42123.bat
The worm may execute the cleanup batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start.
Adds value: systray
With data: "%windir%/
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Depending on the variant, other values are created instead such as "sysftray2" or "sysldtray".
Spreads Via…
MySpace and FaceBook Contacts
Win32/Koobface searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites including the following:
facebook.com
friendster.com
hi5.com
myspace.com
bebo.com
In some variants of Win32/Koobface, if the worm determines that none of these sites are visited, the worm may delete itself and may display following message box:
In the wild, the worm may connect to the Web site 'zzzping.com' to download and execute malware.
The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.
Payload
Removes Audible Navigation Alerts
Some variants of Win32/Koobface may delete a registry subkey that references navigation sounds such as the 'click' sound when navigating from one Web site to another. The following subkey may be deleted by the worm:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
No comments:
Post a Comment