Koobface.HJV – Spreading in the wild (Feb 04, 2011)
The Sonicwall UTM Research team discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.
The Worm performs the following DNS queries:
- www.google.com
- facebook.com
- www.facebook.com
- d.static.ak.fbcdn.net
- x-treme-radio.host22.com
- www.ashiww.com
- www.wahdohotel.nl
- kingswoodwright.com
- kbfgb.greyzzsecure9.com
- 3064972.greyzzsecure9.com
The Worm attempts to load various web pages using random page names with the .css extension:
- http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
- http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
- http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
- http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
- http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
- http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
- http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
- http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
- http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
- http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
The Worm installs the following files on the system:
- C:Documents and Settings{USER}Local SettingsTempfeb.bat
- C:Documents and Settings{USER}Local SettingsTempzpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
- C:Documents and Settings{USER}Local SettingsTempzpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
- C:WINDOWS5456456z
- C:WINDOWSbt7.dat
- C:WINDOWSjjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
- C:WINDOWSsystem32feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
- C:WINDOWSsystem32driversfeb.sys [Detected as GAV: Koobface.FF (Trojan)]
feb.bat contains:
netsh firewall add allowedprogram name="feb" program="C:WINDOWSsystem32svchost.exe" mode=enable
netsh firewall add portopening tcp 8087 feb enable
sc create "ffeb" type= interact type= share start= auto binpath= "C:WINDOWSsystem32svchost.exe -k ffeb"
reg add "hklmsystemcurrentcontrolsetservicesffebparameters" /v servicedll /t reg_expand_sz /d "C:WINDOWSsystem32feb.dll" /f
reg add "hklmsystemcurrentcontrolsetservicesffeb" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
reg add "hklmsoftwaremicrosoftwindows ntcurrentversionsvchost" /v ffeb /t reg_multi_sz /d "ffeb " /f
sc start ffeb
feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:
- impri{removed}.gr/.lhinrs/
- hk{removed}.org/.ycguh3/
- roomservi{removed}.com.au/.9mov05w/
- nubs.wo{removed}.co.uk/.7txq/
- lenga{removed}.com/.ck5rg8/
- cayenneo{removed}.com/.fplf/
- www.dead{removed}.co.uk/.qe9v/
- ib{removed}.org.il/.5cei7f9/
- www.kurdist{removed}.com/.x5fyik/
- heali{removed}.co.za/.12vatd/
- forwardmar{removed}.org/.6sta03t/
- numerus-{removed}.fr/.li81/
- fino{removed}.com/.ea2cuwa/
- fe{removed}.co.za/.jts51/
- tarr{removed}.com/.5fu3/
- toppla{removed}.nl/.vfnc/
- www.fishingfo{removed}.com/.5wmm9/
The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoAutoUpdate dword:00000001
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoWindowsUpdate dword:00000001
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost ffeb hex(7):66,66,65,62,00,00,
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun dfg49df “c:windowsjjp156.exe”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB NextInstance dword:00000001
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB 000 Service “feb”
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesfeb ImagePath hex(2):”??C:WINDOWSsystem32driversfeb.sys”
Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:
It performs a fake system scan which is hosted on a Fake AV landing page:
- http://3064972.greyzzsecure9.com/defender/?914ea0a274=vmzd&8a83854da2d=jjdjtamdvz&5f701=jvottyajzt
When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:
- bitav_2053_ext6.exe [Detected as GAV: TDSS.ABCR (Trojan)]
The worm will periodically cause pop-up messages such as in the screenshot below:
When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as:
- pack.exe [Detected as GAV: SecurityTool.W (Trojan)]
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Koobface.HJV (Worm)
- GAV: Koobface.HJV_2 (Worm)
- GAV: Koobface.HJV_3 (Worm)
- GAV: Koobface.FF (Trojan)
- GAV: Delf.EM (Trojan)
- GAV: TDSS.ABCR (Trojan)
- GAV: SecurityTool.W (Trojan)