Koobface.HJV - Spreading in the wild

February 18, 2011

The Sonicwall UTM Research team discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

The Worm performs the following DNS queries:

  • www.google.com
  • facebook.com
  • www.facebook.com
  • d.static.ak.fbcdn.net
  • x-treme-radio.host22.com
  • www.ashiww.com
  • www.wahdohotel.nl
  • kingswoodwright.com
  • kbfgb.greyzzsecure9.com
  • 3064972.greyzzsecure9.com

The Worm attempts to load various web pages using random page names with the .css extension:

  • http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
  • http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
  • http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
  • http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
  • http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
  • http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
  • http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
  • http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
  • http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
  • http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css

The Worm installs the following files on the system:

  • C:Documents and Settings{USER}Local SettingsTempfeb.bat
  • C:Documents and Settings{USER}Local SettingsTempzpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTempzpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
  • C:WINDOWS5456456z
  • C:WINDOWSbt7.dat
  • C:WINDOWSjjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
  • C:WINDOWSsystem32feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
  • C:WINDOWSsystem32driversfeb.sys [Detected as GAV: Koobface.FF (Trojan)]

feb.bat contains:

      netsh firewall add allowedprogram name="feb" program="C:WINDOWSsystem32svchost.exe" mode=enable
      netsh firewall add portopening tcp 8087 feb enable
      sc create "ffeb" type= interact type= share start= auto binpath= "C:WINDOWSsystem32svchost.exe -k ffeb"
      reg add "hklmsystemcurrentcontrolsetservicesffebparameters" /v servicedll /t reg_expand_sz /d "C:WINDOWSsystem32feb.dll" /f
      reg add "hklmsystemcurrentcontrolsetservicesffeb" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
      reg add "hklmsoftwaremicrosoftwindows ntcurrentversionsvchost" /v ffeb /t reg_multi_sz /d "ffeb" /f
      sc start ffeb

feb.dll contains a list or URL's all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL's contained feb.dll:

  • impri{removed}.gr/.lhinrs/
  • hk{removed}.org/.ycguh3/
  • roomservi{removed}.com.au/.9mov05w/
  • nubs.wo{removed}.co.uk/.7txq/
  • lenga{removed}.com/.ck5rg8/
  • cayenneo{removed}.com/.fplf/
  • www.dead{removed}.co.uk/.qe9v/
  • ib{removed}.org.il/.5cei7f9/
  • www.kurdist{removed}.com/.x5fyik/
  • heali{removed}.co.za/.12vatd/
  • forwardmar{removed}.org/.6sta03t/
  • numerus-{removed}.fr/.li81/
  • fino{removed}.com/.ea2cuwa/
  • fe{removed}.co.za/.jts51/
  • tarr{removed}.com/.5fu3/
  • toppla{removed}.nl/.vfnc/
  • www.fishingfo{removed}.com/.5wmm9/

The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoAutoUpdate dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoWindowsUpdate dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost ffeb hex(7):66,66,65,62,00,00,
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun dfg49df "c:windowsjjp156.exe"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB NextInstance dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB000 Service "feb"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesfeb ImagePath hex(2):"??C:WINDOWSsystem32driversfeb.sys"

Upon installation the Worm informs the user that it needs to perform a "Scan" of the system:

It performs a fake system scan which is hosted on a Fake AV landing page:

  • http://3064972.greyzzsecure9.com/defender/?914ea0a274=vmzd&8a83854da2d=jjdjtamdvz&5f701=jvottyajzt


When clicking on "Remove all" or "Cancel" it attemps to initiate the download of:

  • bitav_2053_ext6.exe [Detected as GAV: TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as:

  • pack.exe [Detected as GAV: SecurityTool.W (Trojan)]

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Koobface.HJV (Worm)
  • GAV: Koobface.HJV_2 (Worm)
  • GAV: Koobface.HJV_3 (Worm)
  • GAV: Koobface.FF (Trojan)
  • GAV: Delf.EM (Trojan)
  • GAV: TDSS.ABCR (Trojan)
  • GAV: SecurityTool.W (Trojan)