Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Koobface.FU

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Koobface.FU carries out the following actions:

  • When it is run, it displays a message like the following on the screen:

  • This message informs users that they have to enter some characters and, if they don't, the computer will be restarted in 3 minutes.
  • 3 minutes after, the computer will not be restarted, but if the characters are not typed, the message will not disappear and the computer will be blocked until users enter the characters.
  • If users enter the characters which are required, they will be able to work with the computer properly. However, after a while a similar message will be displayed.
  • It connects to the following website http://prueba.plain<blocked>t.com/.sys/?getexe=%name of the file to be downloaded%, from which it downloads several files belonging to other variants of Koobface.

Infection strategy 

Koobface.FU creates the file LD14.EXE, in the Windows directory. This file is a copy of the worm.

Additionally, it creates the following files:

  • CAPTCHA.DLL, in the Program Files directory.
  • FREDDY72.EXE and RDR_1257313904.EXE, in the Windows directory.
  • V2CAPTCHA[1].EXE, in the path C:\Documents and Settings\%username%\Local Settings\Internet temporary files\Content.IE5
    where %username% is the username of the user that has logged in.

 

Koobface.FU creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Captcha7 = C:\Archivos de programa\captcha.dll,captcha
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Sysfbtray = %windir%\freddy72.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Sysldtray = %windir%\ld14.exe
    where %windir% is the Windows directory.
    By creating these entries, Koobface.FU ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    tp

Means of transmission 

Koobface.FU spreads via the social network Facebook in order to affect as many computers as possible.

Further Details  

Koobface.FU is 77,312 bytes in size.