(W32.Kppbface.A, Rootkit.Win32.Agent.vir, Net-Worm.Win32.Koobface.cgk)
- presence of “%windir%\system32\fio32.dll”
- presence of “%windir%\system32\drivers\fio32.sys”
- presence of the registry mentioned in Technical Description
Please let BitDefender disinfect your files.
George Cabau, virus researcher
This worm performs the following action upon execution:
- makes a copy of itself inside its folder, appending at its name “.exe” extension
- runs the copy it just created with the parameters “/res >%tEMP%\fio.bat” .
- creates a dll file in “%windir%\system32” folder, with the mane “fio32.dll”
- creates a driver in “%windir%\system32\drivers” folder, with the name “fio32.sys”
- creates a bat file in “%temp%” with the name “fio.Bat”
- runs the file “fio.Bat” and the malware processes terminates execution.
Now the “fio.Bat” file perform the following actions:
- creates a new registry entry in "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" adding the value "tP” with data "1000”;
- creates a new firewall exception named “fio32”, for the process “svchost.exe”
- creates a firewall exception for TCP port 8085
- creates and starts a new service named “fioo32” for the “fio32.dll” file
- after this, it deletes the copy of malware and the bat file deletes itself
The driver and the dll can disable some antivirus software, steal sensible information and monitors browser activity.