Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Koobface Facebook Worm from Your PC

An extremely dangerous worm has been the main topic of discussion in the online security community lately. Known as the Koobface botnet it is a malware infection that aims to spread to as many computers as possible. As the name suggests(koobFace in different order is Facebook) the malicious cyber-threat takes advantage of security weaknesses and users in social networks to infect computers and build a zombie network of peer-to-peer connected devices. The botnet may be used to install other malware on a massive scale based on the interests of the hackers controlling it. Experts from Symantec believe that the cyber-crooks may offer services to install malware bases on third-party orders. Users are strictly warned to take detecting and preventive measures in order to eradicate any danger that may be caused by this worm.

Name W32.Koobface
Type Worm Infection
Short Description The malware may perform a wide variety of malicious deeds on the compromised computer and build up a botnet.
Symptoms The user may witness advertisements, unauthorised posts from his/her profile in social media. Other after-effects include high network traffic, changed DNS settings in the IP protocol settings as well as all the symptoms of having an adware or a browser hijacker.
Distribution Method Via Social Media websites primarily through friends` posts.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by W32.Koobface
User Experience Join our forum to discuss about W32.Kobface.

Koobface Worm – How Does It Infect

The infection is Distributed primarily in North America and Australia but It has also been detected in Europe. The worm is reported by malware researchers to be spread mainly via social networking websites. The malware may contain web links in a promoted or shared post that may redirect to external website, demanding a video codec to watch a video.

Posts that infect users with the virus, may look like the following:

android spam

The Koobface Worm – What Does It Do

People use social networking on a global scale and the users of such networks are still rapidly increasing. This is the very core competence of Koobface. It uses such websites, targeting users of any type. The worm relies primarily on inexperienced users that may fall into its social engineering (soc eng) trap. Tricked users believe that a web link, posted by a buddy may be trusted and this is how they become part of the increased botnet.

Once the worm builds a network it may be used to install additional programs of any types on the compromised PCs. They may be adware applications like browser hijackers that display pop-ups and change your browser`s settings, like Yoursearching(.)com. The worm may also download Ransomware like TeslaCrypt on your computer and encrypt your sensitive data.

Here are some other “features” of the worm:

  • Obtain sensitive credentials.
  • Redirect users to malware-infested sites.
  • Display advertisements.
  • Collect HTTP traffic information.
  • Deploy phishing attacks.
  • Block websites on demand.
  • Serve to a third-part command center via a web server.
  • Download other files via opened ports.
  • Steal legitimate license keys of Windows and other purchased software on the affected device.
  • Bypass CAPTCHA identifications.
  • Create user accounts of different sites and social media accounts.

The Koobface Worm In Detail

Regarding the installation, the worm is reported by Symantec researchers to come via a fake setup.exe or fake update of a plugin. It usually happens after clicking on a link posted in Facebook redirecting to the malicious URL. When activated it copies its malicious objects directly into the Hard Drive of the affected PC.

The worm has three versions and depending on them, the malicious payload carrying filename may be one of the following:

  • Ld05.exe
  • Ld11.exe
  • Ld12.exe

Furthermore, the researchers have also managed to detect that the worm can self-check if its files are active and running in C:\Windows\that is the main Windows directory. In case the scenario is that it is inactive, it copies a .bat file in C:\ then deletes it`s current executable, allowing it to remain active for longer. File names may vary for different intrusions.

Regarding what the worm does in the Windows Registry Editor, well, the picture is not pretty there either:

In the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\” it creates value with data to run the version`s .exe.
For example:
sysLdtray” = “%Windir%\Ld05.exe”

Furthermore, the Worm may also deploy malicious files that may have the following names:

  • ddnsFilter.dll
  • filter.sys
  • fio32.dll
  • fio32.sys

These files, when activated have the ability to block foreign domains and restrict the user`s access to them.

Here are some of the domains that Symantec researchers report to be blocked:

a-2.org; agnitum; aluriasoftware; antivir; antivirald; anti-virus attechnical; authentium; avast; avgfrance; avg. ; avp. ; bitdefender ; blackice; ccsoftware; centralcommand ; deerfield ; dialognauka ; diamondcs ; drsolomon ; drweb ; eicar ; emsisoft ; esafe ; eset ; fileburst ; finjan ; fmsinc ; free-av ; f-secure ; gecadsoftware; grisoft ; gwava ; hackerwatch; housecall ; iavs.cz ; ieupdate ; ikarus-software ; inline-software ;javacoolsoftware ; kaspersky ;kerio ;k-otik ; lavasoft ; liutilities ; looknstop ; malwarebytes ; mcafee ; megasecurity ; microworldsystems ; misec ;moosoft my-etrust ; networkassociates ; noadware ; nod32 ; norman.no ; nsclean ; openantivirus ; pandasoftware ; pestpatrol ; psnw. ; pspl. ; ravantivirus ; safer-networking ; safetynet ; sald.com ; securitoo ; secuser ; simplysup ; sophos ; spyblocker-software; spycop ; spywareguide ; stiller ; sybari ; sygate ; symantec ; tinysoftware ; toonbox ; trapware ; trendmicro ; turvamies ; viguard ; viruslist ; virustotal ; visualizesoftware ; vsantivirus ; wilderssecurity ; wildlist ; windowsupdate ; winpatrol ; x-cleaner ; zeylstra ; zonelabs ; zonelog ;

Also, the worm might change the DNS settings of the compromised PC.

When it comes to the info-stealing “extra” the Worm has been gifted, it is utilized via another malicious file, known as either “go.exe” or “get.exe”. Via those the worm can gather all types of relevant system info that then may be aggregated and sent out to the C&C servers. Without going into much detail imagine that every software you purchased, every password you saved, any information with value may suddenly be used against you or to serve other interests.

And this is not where the surprises by Koobface Worm end. It may also cause redirects and what is known as Black SEO to the search results of your search engine, without you even noticing it. Imagine you are looking to buy smartphones and the worm displays the relevant search results but after clicking them you may get redirected to a third-party website that may either be an Advertising site or a malicious URL. The objects controlling this have been reported to be .dll files containing the word “Browser” in them.

When we examine the obtaining of Network traffic data, Koobface might reroute this information directly to the controlling server. Furthermore, it may also have direct commands that may influence the default routing table, allowing third-party addresses to intercept and monitor your daily activities.

Last but not least important, the malware may affect the compromised computer using a Web Server, posting on its behalf on social networks or allowing it to spread via the Local Area Network(LAN) of the user affecting other computers. This is particularly effective for small home or office networks. The module controlling it goes by the name webserver.exe. It was also detected with a .dat extension. Additionally, Koobface has been reported to use the TCP ports 80 and 53 for incoming connectivity. However the ports it opens may vary.

The bypassing of the CAPTCHA defense mechanism, while the worm is attempting to post from your behalf in social media sites, is done by uploading it directly to the command servers controlled by the hackers. The CAPTCHA is then displayed in full screen in front of another user preventing any other activity before entering it manually. This is a very effective distribution method since it allows the Koobface creators to work for free.

Removing Koobface Worm Completely

To remove Koobface worm, a simple removal manual would not cut it, since the worm may have infected you with different malware, like Trojan.Downloader or a Rootkit. This is why it is highly advisable to do a clean reinstall of your computer, after which to use the tutorial below in order to check whether or not the device you are using is safe. It is also advisable to use a VPN service or a Proxy as well as advanced malware protection software to further detect and prevent any intrusions by Koobface.

1. Boot Your PC In Safe Mode to isolate and remove W32.Koobface
2. Remove W32.Koobface with SpyHunter Anti-Malware Tool
3. Remove W32.Koobface with Malwarebytes Anti-Malware.
4. Remove W32.Koobface with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by W32.Koobface in the future
NOTE! Substantial notification about the W32.Koobface threat: Manual removal of W32.Koobface requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.