New Koobface worm variant

August 11, 2009

SonicWALL UTM Research team found a new variant of Koobface worm last week on August 7, 2009. It's packed using UPX.

There are three major enhancements in this new variant of Koobface,

a) Earlier drive-by sites had a page that looked like YouTube video page but now they have switched to a Facebook video look-alike page.

b) In past, the message tweeted was "My home video 🙂 [URL]", now they randomize it by adding "LOL", "HA-HA-HA", "OMFG!" etc, so each tweet is unique.

c) The link is also unique with an appended random number, so after URL shortening it is still unique:
hxxp://[RANDOM] -> hxxp://[RANDOM]

The malware performs following activities upon execution:

  • Deletes the original file that was downloaded and executed by the user
  • Drops files (Windows)ld12.exe, (Windows)prxid93ps.dat and executes ld12.exe
  • Creates a registry entry to ensure that it starts on system reboot:
    HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunsysldtray: "c:windowsld12.exe"
  • Checks for Internet connectivity by sending GET request to
  • If Internet is available, it connects to the C&C server located at and receives command to download malicious files:

    STARTONCE| [Detected as GAV: FakeAv.OT_2 (Trojan)]
    START| [Detected as GAV: Koobface.NBH_5 (Worm)]

This malware is also known as Worm:Win32/Koobface.gen!D [Microsoft], Net-Worm.Win32.Koobface.bgr [Kaspersky], Mal/KoobHeur-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Koobface.BGR (Worm) signature.

Screenshots of Koobface worm drive-by sites in action can be seen below:

Facebook video page look-alike:


Download of the Koobface worm when user attempts to download flash player:


Page showing unique tweets with shortened malicious link: