Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:19/05/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:16.384 Bytes
MD5 checksum:99e33a3d24366ad569ab7115aabbed5c
IVDF version:

 General Aliases:
   •  Mcafee: W32/Koobface.worm virus
   •  Sophos: W32/Koobface-C
   •  Panda: Trj/Proxy.CM
   •  Eset: Win32/Tinxy.AD
   •  Bitdefender: Win32.Worm.Koobface.CD

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\SYS32DLL.exe

It deletes the initially executed copy of itself.

It deletes the following file:
   • C:\SYS32DLL.bat

The following file is created:

– C:\SYS32DLL.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file. Detected as: BAT/SYS32open

It tries to download a file:

– The location is the following:
At the time of writing this file was not online for further investigation.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SYS32DLL"="SYS32DLL"

The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000001
   • "ProxyOverride"="*.local;"
   • "ProxyServer"="http=localhost:7171"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000001
   • "ProxyOverride"="*.local;"
   • "ProxyServer"="http=localhost:7171"

 Backdoor The following port is opened:

%SYSDIR%\SYS32DLL.exe on TCP port 7171 in order to provide a proxy server.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, November 27, 2009
Description updated by Petre Galan on Friday, November 27, 2009

Back . . . .