Analysis by: Dianne Lagrimas

ALIASES:

Dursg, VBInject, Usuge, VBKrypt, Koobfa, Autorun

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via social networking sites

KOOBFACE malware are known for targeting the social networking site Facebook to spread via infected wall posts. It was first spotted in 2008, but KOOBFACE was at the height of its operations in 2009 and 2010.

While the name suggests that this family uses Facebook to spread, its variants were also known to use other social networking sites like Twitter and Myspace. It uses social engineering to get users to click on a link that appears to lead to a video. The video is fake but is hosted on a site that imitates YouTube. The site then gets users to install a file to view the video, but the file is actually the malware.

KOOBFACE malware are made up of several key components to complete its routine. The components consist of data stealers, downloaders, DNS changers, among others.

KOOBFACE may steal system information and user credentials, download other malware, and open a backdoor on the affected system. Some variants of this malware family have been linked to FAKEAV distributors. Newer variants employed traffic direction systems.

  TECHNICAL DETAILS

Memory Resident: Yes

Installation

This worm drops the following files:

  • %System%\clbcoko.dll
  • %System%\drivers\imapioko.sys
  • %System%\drivers\mrxoko.sys
  • %System%\erokosvc.dll
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome.manifest
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome\content\timer.xul
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\install.rdf
  • %User Temp%\tmp

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System Root%\Documents and Settings\All Users\Application Data\mplf\mstime32.exe
  • %User Profile%\Application Data\SystemProc\lsass.exe
  • %User Profile%\Application Data\system\svchost.exe
  • %User Profile%\Application Data\system\verona\copy
  • %User Profile%\Application Data\system\verona\load_me.exe
  • %Windows%\ld03.exe
  • %Windows%\ld04.exe
  • {malware folder}\{malware file name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following folders:

  • %System Root%\Documents and Settings\All Users\Application Data\mplf
  • %User Profile%\Application Data\SystemProc
  • %User Profile%\Application Data\system
  • %User Profile%\Application Data\system\verona
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome
  • %User Profile%\Local Settings\Application Data\{Random CLSID for Firefox}\chrome\content

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
sysldtray = "%Windows%\ld04.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = "%User Profile%\Application Data\SystemProc\lsass.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Intel Management Services v32 = "%System Root%\Documents and Settings\All Users\Application Data\mplf\mstime32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random CLSID}
StubPath = "%System Root%\Documents and Settings\All Users\Application Data\mplf\mstime32.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
wupd32 = "%User Profile%\Application Data\system\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
sysldtray = "%Windows%\ld03.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
xMyDate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random CLSID}

HKEY_CURRENT_USER\Software\verona_4l

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ql600oko

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\swoko

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\apto6ko

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\cpqoko6

It adds the following registry entries:

HKEY_CURRENT_USER\Identities
Curr version = "{number}"

HKEY_CURRENT_USER\Identities
Last Date = "{date}"

HKEY_CURRENT_USER\Identities
Inst Date = "{date}"

HKEY_CURRENT_USER\Identities
Popup count = "{number}"

HKEY_CURRENT_USER\Identities
Popup time = "{number}"

HKEY_CURRENT_USER\Identities
Popup date = "{number}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\internet explorer\iexplore.exe = "%Program Files%\internet explorer\iexplore.exe:*:Enabled:Internet Explorer"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
TI = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
TP = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
termsvc = "{hex value}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
tapisrvs = "{hex value}"

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}2009.biz
  • {BLOCKED}2009.biz
  • {BLOCKED}ar09.info
  • {BLOCKED}osma.com
  • {BLOCKED}nse26032009.com
  • {BLOCKED}trol.com
  • {BLOCKED}pages.com
  • {BLOCKED}32009.biz
  • {BLOCKED}32009.biz
  • {BLOCKED}0603.com
  • {BLOCKED}n.com
  • {BLOCKED}z.com
  • {BLOCKED}an.net
  • {random}.{BLOCKED}orked.com
  • {random}.{BLOCKED}ndyew.com
  • {random}.{BLOCKED}rkedya.com
  • {random}.{BLOCKED}ctya.com
  • {random}.{BLOCKED}tedya.com
  • {random}.{BLOCKED}ntedya.com