Worm:Win32/Koobface.A is a worm that may spread when a user logs into their profile account on the Internet social network sites 'MySpace' or 'Facebook'.
Installation
If this worm is executed, Win32/Kooface may drop a randomly named file into the Windows folder, such as in the following examples:
%windir%\fbtre6.exe
%windir%\mstre5.exe
The worm may drop a cleanup Batch script file also having a random file name to the root of the local drive, as in this example:
c:\42123.bat
The worm may execute the cleanup Batch script to remove the originally executed worm and to remove itself. The registry is modified to execute the dropped worm copy at each Windows start.
Adds value: systray
With data: "%windir%/<worm file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
MySpace and FaceBook Contacts
Worm:Win32/Koobface.A searches in the default Internet Explorer cookies folder for browser cookies related to the Internet social network sites MySpace and FaceBook (myspace.com and facebook.com respectively). If the worm determines that neither of these sites are visited, the worm may delete itself and may display following message box:
The worm then connects to the Web site 'zzzping.com' in order to download and execute new malware.
The worm spreads by sending messages containing a hyperlink to a copy of worm to friends or contacts of the infected user. Friends that receive the message may visit the link to download the worm and repeat the cycle of spreading to others.
Payload
Removes Audible Navigation Alerts
Win32/Koobface may delete a registry subkey that references navigation sounds such as the 'click' sound when navigating from one Web site to another. The following subkey may be deleted by the worm:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
Analysis by Vitaly Zaytsev