Koobface

Koobface Description

Koobface is a computer worm infection that takes advantage of users through social network messages in Facebook, Twitter, MySpace and others. Koobface attacks social network user’s profiles by sending a message asking them to view videos which redirects users to malicious websites designed to spread the Koobface infection. Many of the illicit messages sent via social networks have the subject line "You look funny in this new video" or "You look just awesome in this new movie." If the link within the message is clicked on, then it will ask that you update your flash player which leads to the download of malware. Koobface is able to infiltrate a users' system through a fake flash player update file named flash_player.exe. Other variants of Koobface are known as W32.Koobface, W32/Koobface, Worm.Win32.Koobface.b and Boface.

Aliases: Worm.Win32.Koobface.bn, Win-Trojan/Injecter.17920.ES [AhnLab-V3], Trojan.Win32.Downloader.17920.GQ, TrojanDownloader.Injecter.abx, Trojan.Dropper.Koobface.AEJ [McAfee-GW-Edition], DR/Koobface.AEJ [AntiVir], Trojan.DownLoad.40118 [DrWeb], TrojWare.Win32.TrojanDownloader.Injecter.ddn0 [Comodo], Worm.Koobface-125 [ClamAV], W32/Downldr2.FZRM [F-Prot], Trojan.DL.Injecter.BRL, Trojan/Downloader.Injecter.ddn, TrojanDownloader.Injecter.ddn [CAT-QuickHeal], Trojan-Downloader/W32.Injecter.17920.W and Artemis!10377EFE296F [McAfee+Artemis].

Technical Information

Screenshots & Other Imagery

Tip: Turn your sound ON and watch the video in Full Screen mode to fully experience how Koobface infects a computer.

Koobface Video

File System Details

Koobface creates the following file(s):
# File Name Size MD5 Detection Count
1 %WINDIR%\system32\swe.dll 64,512 b008856fa107fb14dbfb01ac4bc7ff0a 609
2 %WINDIR%\system32\drivers\PDRV.sys 39,296 07e86b47b742f78855ea14b68f4b6fea 505
3 %WINDIR%\system32\drivers\swe.sys 28,544 5c02175de191a7fac64bbb77b62637c7 488
4 %WINDIR%\system32\mas.dll 49,152 0ca69d528f881daf9553dd969b16a276 466
5 %WINDIR%\system32\drivers\mas.sys 28,032 2428166634a56621d224f2f8883ebb0d 440
6 %WINDIR%\system32\btw_oko.dll 133,632 175e1679f1d38e6771ca09caa2f63be7 31
7 %WINDIR%\system32\certoko.dll 128,000 9392b9eaab4b07b1b1696f350caf7397 18
8 %WINDIR%\system\svchost.exe 40,448 55d39b196e1ac496a355e9bc16de3ba1 6
9 %windir%\system32\fio32.dll 50,688 c1448afa4012e692b85c2755a112c33c 1
10 kenny14.exe 21,504 6a4f4328cd6168a8cb20b9c473fb2607 0
11 kenny17.exe 19,456 a5581a695cc8c52157aa9d413032bbb8 0
12 o6ko.sys 32,768 97422c4896c4ce5cf4ff38500918c069 0
13 bill104.exe 65,536 028e9f6c6ecc8c60986ff723b1fc3404 0
14 bolivar27.exe 29,696 cbd1298e9c3a9d62e0404c18593479b3 0
15 che6.exe 21,504 8ea9e442bf3a56a171086a58d23a3aa3 0
16 fbtre6.exe 17,408 1fa5b4771e4d4e9f6dff52521b2d9bfd 0
17 bill105.exe 62,976 f5927d6e2879c1ac0dddfe8876fadd99 0
18 dl1.exe 324,096 e9d1edceed62b10b8324d2ae46f8bc6f 0
19 bill106.exe 51,712 eb5b7849efbe793e13ebf102eecd77b9 0
20 mrxoko.sys 32,768 c52a4b688b5ba67181cd809c5204a18c 0
21 ndisoko.sys 32,768 7597e155a66a2ab97e2195255757e1a4 0
22 bill107.exe 75,264 36b8e9c38b88ff9aa2c06c3f78fbab52 0
23 bill108.exe 72,192 441d525538ec30002b0581373c3b7623 0
24 bill109.exe 74,752 7e35f37167c894c5b4a9c29a1648dcf2 0
25 bill110.exe 77,312 4fb5e6eea077e43c95c65f072c608c91 0
26 bill112.exe 72,704 3a1f9e5af6ee84407feb05b1742108e8 0
27 bill113.exe 77,824 d03a7a1c63491f4d0d24a9e084eca1b1 0
More files

Registry Details

Koobface creates the following registry entry or registry entries:
File name without path
ld14.exe
Run keys
Captcha7

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

One Comment

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.