Full description

Virus:	TR/Agent.56320.16
Date discovered:	13/10/2009
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	56.320 Bytes
MD5 checksum:	66dc85ad06e4595588395b2300762660
IVDF version:	7.01.06.106 - Tuesday, October 13, 2009

General Aliases:
   • Mcafee: W32/Koobface.worm.gen.o
   • Panda: W32/Koobface.GN.worm
   • Eset: Win32/Koobface.NCF
   • Bitdefender: Trojan.Generic.IS.615453

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

Files It copies itself to the following location:
   • %WINDIR%\freddy69.exe

It deletes the initially executed copy of itself.

It deletes the following files:
   • %malware execution directory%\sd.dat
   • %WINDIR%\dxxdv34567.bat
   • %malware execution directory%\df1a245s4_1000.exe
   • C:\3.reg

The following files are created:

– %WINDIR%\bk23567.dat
– %WINDIR%\freddy101.exe Further investigation pointed out that this file is malware, too.
– %WINDIR%\dxxdv34567.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
– %HOME%\Local Settings\Temporary Internet Files\Content.IE5\CXA7GX23\fb[1].101.exe Further investigation pointed out that this file is malware, too.

It tries to download some files:

– The locations are the following:
   • http://www.bloomfieldlivestockmarket.com/**********/?action=fbgen&v=69
   • http://iq-tech.biz/**********/?action=fbgen&mode=s&age=32&a=544453496&v=101&crc=669&ie=6.0.2800.1106
   • http://doratheexplorertoys.info/**********/?action=fbgen&v=101&crc=669
   • http://www.getconnected.be/**********/?action=fbgen&v=69
   • http://krukvaxter.tazzeli.se/**********/?action=fbgen&v=69
   • http://www.agapebowling.com/**********/?action=fbgen&v=101&crc=669
   • http://www.oneofakindsxm.com/**********/?getexe=fb.101.exe
   • http://rtrans.spb.ru/**********/?action=fbgen&v=69
   • http://genesiskdmparts.com/**********/?action=fbgen&v=69
   • http://iq-tech.biz/**********/?action=fbgen&v=101&crc=669
   • http://firmafrugtforeningen.dk/**********/?action=fbgen&v=101&crc=669
   • http://hadsund-jagt.dk/**********/?action=fbgen&v=101&crc=669
   • http://qatar-business-guide.net/**********/?action=fbgen&a=544453496&v=69&ie=6.0.2800.1106
   • http://www.svensmits.be/**********/?action=fbgen&v=69
   • http://qatar-business-guide.net/**********/?action=fbgen&v=69
Further investigation pointed out that this file is malware, too.

Registry The values of the following registry key are removed:

– [HKEY_USERS\S-1-5-21-2025429265-1425521274-839522115-1003\Software\
   Microsoft\Windows\CurrentVersion\Internet Settings]
   • AutoConfigURL
   • ProxyOverride
   • ProxyServer

The following registry key is added:

– [HKLM\SOFTWARE\Classes\MIME\Database\Content Type\
   application/xhtml+xml]
   • "CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
   • "Encoding"=hex:08,00,00,00
   • "Extension"=".xml"

The following registry keys are changed:

– [HKEY_USERS\S-1-5-21-2025429265-1425521274-839522115-1003\Software\
   Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:0x00000001
   • "ProxyEnable"=dword:0x00000000

– [HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\
   Microsoft\windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000000

Injection – It injects itself as a thread into a process.

Process name:
• regedit.exe

Miscellaneous Checks for an internet connection by contacting the following web site:
   • http://www.google.com

String:
Furthermore it contains the following strings:
   • http://messaging.myspace.com/index.cfm?fuseaction=mail.sentboxV3&type=Sent
   • http://profileedit.myspace.com/index.cfm?fuseaction=profile.blurbs
   • http://profileedit.myspace.com/index.cfm?fuseaction=profile.interests
   • http://profileedit.myspace.com/index.cfm?fuseaction=profile.lifestyle
   • http://profileedit.myspace.com/index.cfm?fuseaction=profile.schools
   • http://profileedit.myspace.com/index.cfm?fuseaction=profile.companies
   • http://profileedit.myspace.com/index.cfm?fuseaction=accountSettings.contactInfo
   • myspace.com/index.cfm?fuseaction=profile.basic
   • document.getElementById("hsmDoneBtn").fireEvent("onmousedown", evt);

File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Petre Galan on Tuesday, February 23, 2010
Description updated by Petre Galan on Tuesday, February 23, 2010

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools