My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Koobface.ALX

MEDIUM
LOW
variable
(W32.Kppbface.A, Rootkit.Win32.Agent.vir, Net-Worm.Win32.Koobface.cgk)

Symptoms

- presence of “%windir%\system32\fio32.dll”
- presence of “%windir%\system32\drivers\fio32.sys”
- presence of the registry mentioned in Technical Description

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This worm performs the following action upon execution:

- makes a copy of itself inside its folder, appending at its name “.exe” extension
- runs the copy it just created with the parameters “/res >%tEMP%\fio.bat” .
- creates a dll file in “%windir%\system32” folder, with the mane “fio32.dll”
- creates a driver in “%windir%\system32\drivers” folder, with the name “fio32.sys”
- creates a bat file in “%temp%” with the name “fio.Bat”
- runs the file “fio.Bat” and the malware processes terminates execution.

Now the “fio.Bat” file perform the following actions:

- creates a new registry entry in "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" adding the value "tP” with data "1000”;
- creates a new firewall exception named “fio32”, for the process “svchost.exe”
- creates a firewall exception for TCP port 8085
- creates and starts a new service named “fioo32” for the “fio32.dll” file
- after this, it deletes the copy of malware and the bat file deletes itself

The driver and the dll can disable some antivirus software, steal sensible information and monitors browser activity.