Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Koobface.NCF is a worm that spreads through social networking sites. The file is run-time compressed using UPX .
Installation
When executed, the worm copies itself into the following location:
  • %windir%\tag13.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "SYsTgray2" = %windir%\tag13.exe
The following Registry entries are set:
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced]
    "Hidden" = 2
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content
    Type\application/xhtml+xml]
    "CLSID" = "{25336920-03F9-11cf-8FD0-00AA00686F13}"
    "Extension" = ".xml"
    "Encoding" = 08 00 00 00
The following Registry entries are removed:
  • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\
    Navigating]
Spreading
The worm checks for Internet connectivity by trying to connect to the following servers:
  • www.google.com
If no Internet connection is detected, the worm deletes itself.

The worm connects to the following addresses:
  • piupiu-110809.com
  • suz11082009.com
  • boomer-110809.com
  • upr200908013.com
  • xtsd20090815.com
  • Mymegadomain03072009.com
The worm searches for cookies with login sessions related to social networking sites. The following social networking sites are affected:
  • bebo.com
  • facebook.com
  • hi5.com
  • myspace.com
  • netlog.com
  • tagged.com
  • twitter.com
If the worm finds the appropriate cookie, its content is sent to the following remote computer:
  • xtsd20090815.com
The worm then obtains data and instructions for further action.

The worm spreads by sending messages to people that are "friends" with someone in the social network whose computer has already been infected.

The message contains a URL link to a website containing malware.

If the link is clicked a copy of the worm is downloaded. Some examples follow.

Example (1.) :
Example (2.) :
Example (3.) :
Example (4.) :
Other information
The worm creates the following files:
  • x2.dat
  • %windir%\xdv34567.bat
  • %windir%\tgmark2.dat
  • c:\2.reg
The worm may attempt to download files from the Internet. The HTTP protocol is used.

These are stored in the following locations:
  • %windir%\%filename%
  • %temp%\%filename%
A string with variable content is used instead of %filename% .