Aliases: Koobface.A, W32/Koobface.worm!F73A6BE0, W32/Koobface.worm, W32/Koobface
Variants: W32.Koobface.B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 03 Aug 2008
Damage: Medium

Characteristics: The worm W32.Koobface.A spreads through social networking sites. It uses your social network to post items. It posts comments with a link on other people’s profile to trick them into clicking on the link. It attempts to collect private information like credit card numbers and may lead to identity theft.

More details about W32.Koobface.A

The worm W32.Koobface.A spreads by infecting Windows executable files via security loopholes. After infecting the computer, the worm deactivates security and drops mstre6.exe files into the Windows system. It usually spreads through SPAM emails, corrupt porn content websites, flash, and ActiveX video codecs. The worm searches for cookies that are related to social networking sites. It deletes itself when none are found. If an appropriate security cookie is found, the worm modifies the settings to add links to malicious sites in the user's profile. The links will lead to a copy of the worm disguised as a video codec. The worm also tracks windows activities and values in the system registry. It collects surfing history to create equivalent pop ups. In addition, it tracks and restricts security programs and forwards confidential private financial info to remote attackers.

The W32.Koobface.A software creates a copy of itself in the system. This is saved as an executable file. The process is added to the system registry. This allows it to run at system startup. The executable file also loads a Dynamic Link Library (DLL) module. This is added to the system registry as a component of the Internet Explorer web browser. The DLL module serves as the main spying component of the program. It contains the URL where the information will be sent to. It can monitor the user’s browsing habits with Internet Explorer. Keylogging functions can be used to capture information as the user types them in.