ANNOUNCEMENT!!

There will be an exhibition done by Sabah State Library for the opening ceremony of Bandar Sri Indah in Tawau on the 8th of March, 2011. There would be several prints of Tawau old photos on display and the Kee Family book by Kee Faridah as well. Please stop by and visit if you have the time :)

Wednesday, September 23, 2009

Koobface Virus attacking social network (Facebook included), be aware!!!

Yesterday I received an inbox message in my facebook account from one of my contacts. The subject was "Congratulations you are on TV". I knew right away it was a virus that has been circulating the social networks and facebook is no exception. For many years, another similar virus has been infecting chat messengers such as Live Messenger, Yahoo, etc. In this case, you will receive an offline message and a link from someone in your contact list that suggests you to click it.

However, in social networks such as facebook, myspace, etc the virus is spreading by sending a malicious inbox / e-mail message with subjects like these:

Great luck! You were caught by a secret camera!
What are you doing on this video?
And what if your spouse see this film?
Very interesting: is it really you on this clip?
You should be ashamed by this behavior.
This video from our weekend.
Congratulations! You are on TV!
New (Celebrity Name) Video Clips!
You were on TV!
Our video from last weekend!
You look awesome in this video!
and the subject varies to get your interest!


In the message there is a link to a "video". The link will take you to a site that looks similar to YouTube, or other video sites, and tells you that you need to install a codec, player or an update to view the video. Sometimes it just gives you another link that says "Click Here / Click Here To View" or "Flash Player upgrade required". When you install the file, you are installing a virus. The virus will essentially hijack your facebook account and will send out a similar message to all your friends in your contact list.

Last night I noticed that the modus operandi has been upgraded, now it posted a video link on the wall (profile page) on facebook. Of course having it posted on the wall doesn't mean that the account is infected with the virus. The purpose is to instigate curious minds to check and click on the video link. So if you think a suspicious video link is posted on your wall, please don't click on it and remove it right away even if it is from someone you know. Confirm with your friends if they really send you the video and if it's safe. There is a possibility that their account might be infected with the virus too.

A sample of a malicious video link posted on the facebook wall. The source differs each time. The same link posted on my wall twice with different source.


So what is Koobface virus and what it does?


The Koobface worm was first detected by Kaspersky Labs as Net-Worm.Win32.Koobface.a and Net-Worm.Win32.Koobface.b. It is also know as Boface and many other aliases. It sends and posts fake comments and messages with malicious links. After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes them off to a fake codec site specifically designed for the social network they came from. After a user visits a malicious site and unknowingly downloads the malware, the worm searches for cookies created by online social networks. Once Koobface finds the social networking cookies, it makes a DNS query to check IP addresses that correspond to remote domains. The server is then able to send and receive information regarding the infected machine and perform remote commands on the victim's PC. For example: an infected PC could send an instant message claiming to be from a "friend" saying "check out last night party video." Intrigued, the victim's friends clicks on the message to view the clip and their computers become infected and part of a botnet. The cycle repeats itself.

More info on Koobface by Microsoft

Is Koobface a trojan?

The Win32/Koobface becomes a threat when it starts to fabricate fake pop-up advertisement or messages that promote installation of it's affiliated programs. For example, the Win32/FakeXPA that comes under a fake file name such as "coderupdate.exe", "codecsetup.exe" or whatever, which is actually a backdoor Trojan. So please dont' ever download and install codecs from random unauthorized websites.

Malwarebytes detects Koobface as Trojan.Koobface.

What to do if you are infected? How to remove Koobface from your infected Computer?

1. Reset your password immediately.
2. Run a scan on your computer to check if you are infected with the virus. There are several free online scanners, I recommend Kaspersky Lab. Once you detect the virus, you can remove it using the Remove Virus Tool. Another good application is the Malware Bytes Anti-Malware.
3. Please do not install unknown Koobface removal softwares from random websites such as the "Koobface Removal Tool", it might be associated with the virus itself and infected with a trojan that will create a hole in your security system.

How to remove the Win32 Koobface manually?

I strongly advice against this unless you have sufficient expertise in dealing with program files, processes, .dll files and registry entries. This manual removal process may be difficult and you run the risk of destroying your computer.

Step 1 : Use Windows Task Manager to Remove W32.Koobface.B Processes

Remove the "W32.Koobface.B" processes files:

C:\Windows\fbtre6.exe

Step 2 : Use Registry Editor to Remove W32.Koobface.B Registry Values

Locate and delete "W32.Koobface.B" registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"

Step 3 : Detect and Delete Other W32.Koobface.B Files

Remove the "W32.Koobface.B" processes files:

C:\Windows\fmark2.dat
C:\Windows\fbtre6.exe

Again, I remind you not to try this unless you know what you are doing or you might end up damaging your computer.

Sources and Other Related Articles:
1. New Koobface Virus Messages Malware to Friends
2. Koobface Remains Active in Facebook
3. Koobface Facebook and MySpace Worm Infects Users with Trojan Disguised as codecsetup.exe
4. ThreatExpert's Statistics for Worm.32.Koobface [Ikarus]

7 comments:

Anonymous said...

i without a doubt adore your own posting choice, very remarkable,
don't quit as well as keep creating considering it just simply that is worth to look through it,
looking forward to read alot more of your own articles, good bye!

Anonymous said...
This comment has been removed by a blog administrator.
different sex positions said...

I know about Koobface spreads by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like . If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.

Dean said...

greetings to all.
I would first like to thank the writers of this blog by sharing information, a few years ago I read a book called costa rica investment in this book deal with questions like this one.

niz said...

Hello .. firstly I would like to send greetings to all readers. After this, I recognize the content so interesting about this article. For me personally I liked all the information. I would like to know of cases like this more often. In my personal experience I might mention a book called Generic Viagra in this book that I mentioned have very interesting topics, and also you have much to do with the main theme of this article.

Anonymous said...

Smaller payday cash advances usually are ideal for the folks, whom earn its dwelling right from pay day to another one, 30 days subsequently after four weeks. If you have had a comfortable profits you may rely on accepting such type of financial products as soon as you want it.
szybka pożyczka
pożyczka na dowód
informacje o stronie
zobacz tutaj kontakt do nas
kliknij tutaj

Anonymous said...

http://technologiesuae.com/#pill xanax online reviews - xanax dosage webmd