1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Koobface C and C Communication

System Infected: Koobface C and C Communication

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Koobface activity communicating and requesting information from it's controlling server.

Additional Information

W32.Koobface.A is a worm that spreads through social networking sites.

When the worm executes, it copies itself as the following file:
c:\windows\mstre6.exe

It also creates the following file which serves as an infection marker:
c:\windows\tmark2.dat

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"

The worm deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

When executed for the first time on a given machine it will display the following message box in order to distract user's attention from its real purpose:
Window title: Error
Window body: Error installing Codec. Please contact support.

Then it searches for cookies related to social networking sites. If none are found, the worm deletes itself.

If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user's profile to trick visitors into following. These links will point to a copy of the worm disguised as a video codec.

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube