1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: HTTP Koobface C and C Server Domains Request

System Infected: HTTP Koobface C and C Server Domains Request

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects W32.Koobface activity communicating and requesting information from it's controlling server.

Additional Information

W32.Koobface.A is a worm that spreads through social networking sites.

When the worm executes, it copies itself as the following file:

It also creates the following file which serves as an infection marker:

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"

The worm deletes the following registry key:

When executed for the first time on a given machine it will display the following message box in order to distract user's attention from its real purpose:
Window title: Error
Window body: Error installing Codec. Please contact support.

Then it searches for cookies related to social networking sites. If none are found, the worm deletes itself.

If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user's profile to trick visitors into following. These links will point to a copy of the worm disguised as a video codec.


  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube