New Koobface worm variant
SonicWALL UTM Research team found a new variant of Koobface worm last week on August 7, 2009. It's packed using UPX.
There are three major enhancements in this new variant of Koobface,
a) Earlier drive-by sites had a page that looked like YouTube video page but now they have switched to a Facebook video look-alike page.
b) In past, the message tweeted was "My home video 🙂 [URL]", now they randomize it by adding "LOL", "HA-HA-HA", "OMFG!" etc, so each tweet is unique.
c) The link is also unique with an appended random number, so after URL shortening it is still unique:
hxxp://uppinorr.se/pub1icm0vies/?[RANDOM] -> hxxp://bit.ly/[RANDOM]
The malware performs following activities upon execution:
- Deletes the original file that was downloaded and executed by the user
- Drops files (Windows)ld12.exe, (Windows)prxid93ps.dat and executes ld12.exe
- Creates a registry entry to ensure that it starts on system reboot:
- Checks for Internet connectivity by sending GET request to www.google.com
- If Internet is available, it connects to the C&C server located at upr0306.com and receives command to download malicious files:
STARTONCE|http://web.reg.md/1/prx.exe [Detected as GAV: FakeAv.OT_2 (Trojan)]
START|http://web.reg.md/1/pp.10.exe [Detected as GAV: Koobface.NBH_5 (Worm)]
This malware is also known as Worm:Win32/Koobface.gen!D [Microsoft], Net-Worm.Win32.Koobface.bgr [Kaspersky], Mal/KoobHeur-A [Sophos].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Koobface.BGR (Worm) signature.
Screenshots of Koobface worm drive-by sites in action can be seen below:
Facebook video page look-alike:
Download of the Koobface worm when user attempts to download flash player:
Page showing unique tweets with shortened malicious link: