Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Date discovered:20/10/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:55.296 Bytes
MD5 checksum:a3d5881897b4cdcc4d0e19b1efe19b6d
IVDF version: - Tuesday, October 20, 2009

 General Aliases:
   •  Mcafee: W32/Koobface.worm.gen.o
   •  Panda: W32/Koobface.FQ.worm
   •  Eset: Win32/Koobface.NCF
   •  Bitdefender: Win32.Worm.Koobface.ALN

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\freddy71.exe

It deletes the initially executed copy of itself.

It deletes the following files:
   • %malware execution directory%\sd.dat
   • %WINDIR%\dxxdv34567.bat
   • C:\3.reg

The following files are created:

%malware execution directory%\sd.dat
– C:\3.reg This is a non malicious text file with the following content:
   • %code that runs malware%

%WINDIR%\freddy101.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

%WINDIR%\dxxdv34567.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

It tries to download some files:

– The locations are the following:
   • http://poolandservices.com/**********/?action=fbgen&v=71
   • http://s159382787.onlinehome.us/**********/?action=fbgen&v=71
   • http://www.lunohod.com/**********/?action=fbgen&v=71
   • http://bellefonteband.net/**********/?action=fbgen&v=71
   • http://qatar-business-guide.net/**********/?action=fbgen&v=71
   • http://qatar-business-guide.net/**********/?action=fbgen&mode=s&a=544453496&v=71&ie=6.0.2800.1106
   • http://500instantniches.com/**********/?action=fbgen&v=101&crc=669
   • http://reishus.de/**********/?getexe=fb.101.exe
   • http://500instantniches.com/**********/?action=fbgen&mode=s&age=6&a=544453496&v=101&crc=669&ie=6.0.2800.1106
   • http://tehnocentr.chita.ru/**********/?action=fbgen&v=71
   • http://peacockalleyantiques.com/**********/?action=fbgen&v=71
Further investigation pointed out that this file is malware, too.

 Registry The values of the following registry key are removed:

–  [HKEY_USERS\S-1-5-21-2025429265-1425521274-839522115-1003\Software\
   Microsoft\Windows\CurrentVersion\Internet Settings]
   • AutoConfigURL
   • ProxyOverride
   • ProxyServer

The following registry keys are changed:

– [HKEY_USERS\S-1-5-21-2025429265-1425521274-839522115-1003\Software\
   Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:0x00000001
   • "ProxyEnable"=dword:0x00000000

– [HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\
   Microsoft\windows\CurrentVersion\Internet Settings]
   New value:
   • "ProxyEnable"=dword:0x00000000

 Injection – It injects itself as a thread into a process.

    Process name:
   • regedit.exe

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.google.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Petre Galan su martedì 23 febbraio 2010
Descrizione aggiornata da Petre Galan su martedì 23 febbraio 2010

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.