Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:Worm/Koobface.bvm
Date discovered:14/10/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:56.320 Bytes
MD5 checksum:8282ea8e92f40ee13ab716daf2430145
IVDF version:7.01.06.110 - Wednesday, October 14, 2009

 General Aliases:
   •  Mcafee: W32/Koobface.worm.gen.o
   •  Panda: W32/Koobface.FL.worm
   •  Eset: Win32/Koobface.NCF
   •  Bitdefender: Trojan.Packed.Hiloti.Gen.2


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\freddy70.exe



It deletes the initially executed copy of itself.



It deletes the following files:
   • %malware execution directory%\sd.dat
   • %WINDIR%\dxxdv34567.bat
   • C:\3.reg



The following files are created:

%malware execution directory%\sd.dat
C:\3.reg This is a non malicious text file with the following content:
   • %code that runs malware%

%WINDIR%\dxxdv34567.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\bk23567.dat



It tries to download some files:

The locations are the following:
   • http://www.getconnected.be/**********/?action=fbgen&v=70
   • http://oceanacompany.com/**********/?action=fbgen&v=70
   • http://cubman32.net.ua/**********/?action=fbgen&v=70
   • http://www.alkhoei.org/**********/?action=fbgen&v=70
   • http://starart.net/**********/?action=fbgen&v=70
   • http://genesiskdmparts.com/**********/?action=fbgen&v=70
   • http://kalender.sttmedia.se/**********/?action=fbgen&v=70
   • http://zu.ktk.ru/**********/?action=fbgen&v=70
   • http://agribasal-me.com/**********/?action=fbgen&a=544453496&v=70&ie=6.0.2800.1106
   • http://videoleverage.com/**********/?action=fbgen&v=70
   • http://exceleronmedical.com/**********/?action=fbgen&v=70
   • http://agribasal-me.com/**********/?action=fbgen&v=70
   • http://anlaegkp.dk/**********/?action=fbgen&v=70
   • http://download.rmes.ru/**********/?action=fbgen&v=70
   • http://zaferburo.com.tr/**********/?action=fbgen&v=70
At the time of writing this file was not online for further investigation.

 Registry One of the following values is added in order to run the process after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "sysfbtray"="%WINDIR%\freddy70.exe"



The values of the following registry key are removed:

–  [HKEY_USERS\S-1-5-21-2025429265-1425521274-839522115-1003\Software\
   Microsoft\Windows\CurrentVersion\Internet Settings]
   • AutoConfigURL
   • ProxyOverride
   • ProxyServer



The following registry keys are changed:

[HKEY_USERS\S-1-5-21-2025429265-1425521274-839522115-1003\Software\
   Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:0x00000001
   • "ProxyEnable"=dword:0x00000000

[HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\
   Microsoft\windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000000

 Injection – It injects itself as a thread into a process.

    Process name:
   • regedit.exe


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.google.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description insérée par Petre Galan le mardi 23 février 2010
Description mise à jour par Petre Galan le mardi 23 février 2010

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.