Net-Worm.Win32.Koobface.iap

Sometimes the name given or assigned malware can be quite telling. For instance, Net-Worm.Win32.Koobface.iap at a glance warns PC users and the Internet security community that this virus is a 'worm' and specifically targets systems running the 'Win32 platform'. Equally important is its reference to the infamous 'Koobface' vermin, known for propagating on the friendly social network platform Facebook, Twitter and MySpace, to name a few.

Koobface was planed, originally, to infect Microsoft Windows and Mac OS X and in a limited capacity, Linux. Friendly PC users would intercept a spoofed and manufactured message routing them to a malicious website so they can view some video or movie. The trap was the fake Adobe Flash update, which people get fooled with in order to watch a video or movie, but instead it downloads the infectious Koobface. Once inside, Koobface would set the attack, hijacking the browser and globally changing proxy settings.

Long gone are the days of simple malware that poked fun only and temporarily disrupted use of an aggravated victim's system. A well-planned malware (aka Trojan, worm or a malicious program) can be used to wage cyber-political warfare, cyber-heists, cyber-theft or robbery, cyber-rape (i.e. of vital data), or any low-level crime possible in the real world. Technology has made it easier to store, manipulate and ultimately access all forms of data that literally run millions of organized businesses and lives around the world. Basically, where there is money, there is crime and evil lurking about.

Cybercriminals are exploiting hardware and software vulnerabilities and use social engineering to manipulate the habits of man. Koobface and the variant Net-worm.Win32.Koobface.iap explores the vulnerability and breaches the trust of social networks. An unprotected or poorly secured PC quickly becomes a nest of infestation after Net-worm.Win32.Koobface.iap is downloaded.

Worms are known to replicate and send copies of themselves via email to everyone on a victim's contact list and may search for other nodes to infect such as thumb drives or other external drives. Net-worm.Win32.Koobface.iap may build a P2P botnet, so the comprised computers may receive P2P commands. Equally key is collecting data stored in your cache, recorded from spying on your surfing habits or logged system data, so it can be transferred to a remote server.

While Net-worm.Win32.Koobface.iap is usually propagated through social network channels, Net-worm.Win32.Koobface.iap can also be distributed using other channels, with or without the aid of a PC user. The rate of speed that a worm replicates is also a major concern, since malicious programs can cause a system overload or hard drive crash due to the amount of resources it uses. Therefore, time is of the essence in removing this worm.

Analysis Report

General information

Family Name:	Worm.Gamarue.DB
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: d9cfcb375625b05e8c604622f9541add SHA1: 0bd93c06f8d229053a64523e5206380e85c3c7be SHA256: 8F1B4392533B2A7C09B1675C20E068426DE5D41658F6CD364B228A6275FD88EB File Size: 127.07 KB, 127072 bytes

MD5: 3445b856d8b43250233f5ed06cc09caf SHA1: a313e7878d24406177bf18c4ee25660444a319ea SHA256: DD88DEE26CE4DB15844D371A55B7FD472872EB01AA1B66B7706FC82FD48A4299 File Size: 132.77 KB, 132774 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed

Show More

• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	Tabak Zepac
Company Name	Firer Lampi
File Description	Zamaz Zefir
File Version	1, 6, 2, 3 1, 3, 1, 9
Internal Name	Rapiz Zepa
Legal Copyright	Milko Zileg
Legal Trademarks	Bapiz Zapaz
Original Filename	Dabaris Moreg
Private Build	Delim Papak
Product Name	Daber Selem
Product Version	4, 8, 2, 6 1, 8, 2, 6
Special Build	Fizar Rile

File Traits

• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	99
Potentially Malicious Blocks:	18
Whitelisted Blocks:	81
Unknown Blocks:	0

Visual Map

x x x x x x x x x x 0 x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\downloads\	Synchronize,Write Attributes
c:\users\user\downloads\ízí@x	Synchronize,Write Attributes
c:\users\user\downloads\)	Synchronize,Write Attributes
c:\users\user\downloads\0ì«éü	Synchronize,Write Attributes
c:\users\user\downloads\d229053a64523e5206380e85c3c7be_0000127072.mun	Synchronize,Write Attributes
c:\users\user\downloads\rs\user	Synchronize,Write Attributes
c:\users\user\downloads\	Synchronize,Write Attributes
c:\users\user\downloads\¼0ì|ízí@x	Synchronize,Write Attributes
c:\users\user\downloads\Àp”púÿ	Synchronize,Write Attributes
c:\users\user\downloads\ä0ì|íðy	Synchronize,Write Attributes

Show More

c:\users\user\downloads\ôíü

Synchronize,Write Attributes

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection VirtualAllocEx
Process Shell Execute	CreateProcess

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

c:\users\user\downloads\a313e7878d24406177bf18c4ee25660444a319ea_0000132774 (NULL)