Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Koobface


Destructivity Unknown UNKNOWN
Payload Installs proxy server, downloads malware
Detection files published 17 Aug 2008 03:00:00
Description created 03 Jun 2009 02:49:00
Description updated 03 Jun 2009 02:49:00
Malware type WORM
Alias Net-Worm.Win32.Koobface
Spreading mechanism OTHER
Summary W32/Koobface is a worm propagating through social networking sites such as Facebook. The worm spreads by sending messages with malicious links to contacts on various social networking sites. These links leads to websites that try to trick the users into downloading the worm and other malicious software.



The worm will search through cookies on the computer looking for login credentials for various social networking sites such as Facebook, MySpace, Tagged and hi5.
Using the information gathered from the cookies, the worm then connects to these sites and starts sending messages to friends and contacts. These messages will contain a link to what appears to be a funny or interesting video, but in reality will take the user to a fake video website. This website will present the user with a message that he/she needs to install a plugin to watch the video. This is not a real plugin, but malicious software that will install the worm.

Payload Details

In addition to spreading itself through social networking sites, the worm has been seen to do the following:
Installing a proxy server to manipulate search results (Ad hijacking and click fraud). Downloading rouge security software.




W32/Koobface was first detected by Lumension's antivirus products August 19th 2008. Later variants have been continuously added. To remove the worm and its malicious components completely, it it recommended to use Lumension Malware Cleaner. Sometimes you might be unable to access the internet after being infected with W32/Koobface. In these cases you need to check your browser's proxy settings and make sure that the use of proxy server is disabled. How to disable the use of proxy server in Internet Explorer: Start Internet Explorer. Go to the Tools menu and click Internet Options. Choose the Connections tab and click the LAN settings button. Uncheck the checkbox for Use a proxy server for your LAN. It might also be a good idea to change the passwords for your social networking sites. How to stay protected Users of Lumension Antivirus & Antispyware are fully protected from all known versions of W32/Koobface. Click here to buy.

Last Updated: 12 Nov 2015 11:06:14