I recently discovered a worm called W32 Koobface that was circulating in Twitter.

Koobface has been spreading in the wild throughout the month of June targeting Facebook & MySpace accounts.

IT Security expert Kaspersky Lab claims that the number of Koobface variants detected jumped from 324 at the end of May 2009 to almost 1000 by the end of June 2009.

Once a user is infected, he or she will start spreading the worm to his or her friends targeting more social networking websites like Bebo, Tagged, Netlog and most recently, Twitter.

Here’s the screen shot taken on Twitter, July 15, 2009:

koobface-twitter-worm(click to enlarge)

Users clicking on the malware link (http:\\zoomtox.com\youtube/\) will be redirected to a site that looks similar to Youtube.

w32-koobface-worm

As you can see from the screen shot above(click to enlarge), a fake video will try to load and you will immediately see this message ” The content requires Adobe Flash Player 10.37. Would like to install now?“.

The IP address of the malware site “66.176.202.237” reveals that it is hosted in the US.

Within few seconds, users will be automatically redirected to another site with the IP address “93.102.67.66″ hosted in Portugal where the malware- W32 Koobface is downloaded to their PC.

The infection is simple requiring just one click from the user on the link pointing to the malware and there infected. However users running an Anti Virus program such as Symantec & Kaspersky should remain protected from this threat.

Here’s the full description regarding “HTTP W32 Koobface File Download” on Symantec:

W32.Koobface.A is a worm that spreads through social networking sites.

When the worm executes, it copies itself as the following file:
c:\windows\mstre6.exe

It also creates the following file which serves as an infection marker:
c:\windows\tmark2.dat

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “c:\windows\mstre6.exe”

The worm deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

When executed for the first time on a given machine it will display the following message box in order to distract user’s attention from its real purpose:
Window title: Error
Window body: Error installing Codec. Please contact support.

Then it searches for cookies related to social networking sites. If none are found, the worm deletes itself.

If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user’s profile to trick visitors into following. These links will point to a copy of the worm disguised as a video codec.

Affected

* Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Related posts:

  1. Twitter Worm: How to Keep Safe? The malicious worm affecting Twitter over the weekend has now…
  2. Twitter Hacked!! Hackers have accessed the accounts of a series of celebrities…
  3. Twitter on Windows Mobile with Twikini If you like Twitter and you have a Windows…


from Malaysia Technology Blog