My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.KoobFace.A

VERY HIGH
VERY LOW
16652
(Net-Worm.Win32.Koobface.b; W32.Koobface.A)

Symptoms

- Presence of "Systray" key in autorun locations  of windows registry.
- Presence of next files on the system:
C:\Windows\mstre6.exe
C:\Windows\tmark2.dat

- Increased internet traffic.
- "Friend users" from myspace.com receives links with commentaries via Inbox messages from user with infected system.




Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Suiu Andrei, virus researcher

Technical Description:

Once it is launched, it moves itself to C:\WIndows\mstre6.exe and then it executes itself from the specified location.
It finds the default explorer cookies folder and searches into it for files which contain "myspace.com".
If no appropriate files are found, it shows a MessageBox with the following text: "Error installing Codec. Please contact support", creates a file in C:\Windows\tmark2.dat and writes "1" into it. This way it marks the operating system for its presence, and then it terminates itself, subsequently deleting its file. So the worm infects only systems which use myspace.com.
If such cookies are found on the system, it adds an entry into the Registry autorun under the "Systray" key name.
The worm also deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
Next, it gets from its server (zzzping.com) miscellaneous links and short captions to be sent via MySpace.com. The links it attempts to send to the Myspace.com contacts point users to a fake codec update, which proves to be an infected binary file containing a copy of the worm.
This technique is extremely efficient, especially given the fact that users are more likely to trust links sent by friends than by unknown contacts. The worm spreads from one system to another by using the Myspace contact lists.