Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
Low to medium
- Tuesday, May 19, 2009
• Mcafee: W32/Koobface.worm virus
• Sophos: W32/Koobface-C
• Panda: Trj/Proxy.CM
• Eset: Win32/Tinxy.AD
• Bitdefender: Win32.Worm.Koobface.CD
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a malicious file
• Drops malicious files
• Registry modification
It copies itself to the following location:
It deletes the initially executed copy of itself.
It deletes the following file:
The following file is created:
– C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file. Detected as: BAT/SYS32open
It tries to download a file:
– The location is the following:
At the time of writing this file was not online for further investigation.
One of the following values is added in order to run the process after reboot:
The following registry keys are changed:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
The following port is opened:
\SYS32DLL.exe on TCP port 7171 in order to provide a proxy server.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Petre Galan on Friday, November 27, 2009
Description updated by Petre Galan on Friday, November 27, 2009