Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other social networking Web sites.
Installation
When executed, Win32/Kooface.I may copy itself to the Windows folder with the following format:
%windir%\<letters><2-digit number>.exe
For example:
- %windir%\bolivar31.exe
- %windir%\bolivar30.exe
- %windir%\ld01.exe
- %windir%\che08.exe
- %windir%\freddy35.exe
It drops a cleanup Batch script file having a pseudo-random file name to the root of the local drive, as in this example:
C:\355674543.bat
When run, the Batch script removes the originally running worm.
Win32/Koobface.I also drops the following log file:
C:\social<date>.log
It modifies the system registry so that it automatically runs every time Windows starts, for example:
Adds value: "sysftray2"
With data: "%windir%\bolivar19.exe"
To subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
Adds value: "sysldtray"
With data: "%windir%\ld01.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also creates the following registry entries:
Adds value: "CLSID"
With data: "{25336920-03F9-11cf-8FD0-00AA00686F13}"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
Adds value: "Extension"
With data: ".xml"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
Adds value: "Encoding"
With data: "hex:08,00,00,00,"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
Win32/Koobface.I also creates a mutex to ensure that only one instance of itself is running in memory. The mutex name is usually composed of a random number and letter combination, for example:
44455345g43545
Spreads Via...
Social Networking Web Sites
Worm:Win32/Koobface.I checks for cookies for the following the popular social networking sites:
- facebook.com
- friendster.com
- hi5.com
- myspace.com
- bebo.com
It then uses the found cookies to connect to the site and post messages to the list of friends available in the user's account. The message contains data retrieved by this worm from a remote server, whose name has the following format:
<letters><current date>.com
For example:
- 1dns210109.com
- temp210108.com
- wm21012009.com
- open21012009.com
- 5824125537.com
The messages use various social engineering techniques to entice the user's friends to click on the link. Some of the messages it may display are the following:
Title: W.O.W.
Text: ooPS. looks like i found your private video on net.
Link: http://to<REMOVED>.com/go/be.php?chd68f3=d41d8cd98f00b204e9800998ecf8427e
Title: Thiss is videeo wwith yyou. YYou're doingg soomething fuunny thhere.
Text: Hallo.
Link: http://files.<REMOVED>.com/ram<REMOVED>/youtube/video.gif?9cfb5683ch=d41d8cd98f00b204e9800998ecf8427e
Title: wow
Text: Super video with you.
Link: http://f<REMOVED>.com/go/fr.php
A sample message received from Friendster is the following:
Clicking on the malicious link leads to a Web site that purports to load a video. The user then gets a message that the video cannot be loaded without installing an update of Adobe Flash Player. The offered download is not actually Adobe Flash Player but is a copy of this worm.
Payload
Backdoor Functionality
Win32/Koobface.I can perform any of the following actions on the system, depending on commands from the remote server:
- Download updates to itself
- Send information about the system
- Retrieve messages to post
- Start and stop the malware service
Analysis by Elda Dimakiling