A few days ago the Koobface worm started to appear on Twitter.  Today, the Koobface worm returns by hijacking several Twitter user accounts to assist in propagating the worm.  The malicious tweets start with the text “My Home Video :)” followed by a link to one of 20 or so malicious sites. 

Koobface.DU.worm | Twitter Search

Once on the malicious site, the victim becomes assaulted with a fake flash update and the infection starts to communicate with Facebook and Twitter immediately after downloading two additional executables from a domain hosted in Belgium. 

Koobface.DU.worm | Flash Check

Fake codec site:

Koobface.DU.worm Download


Koobface.DU.worm Connections

After attempting to spread the infection on Facebook and Twitter, the W32/Koobface.DU.worm further capitalizes on its efforts by installing the Adware/InternetAntivirusPro Rogue Antivirus. 

Koobface.DU.worm | Rogueware

Twitter has responded to the threat quickly and have already made an effort of removing the malicious tweets. We detected around 100 still active malicious tweets at the time of writing this.

Visual representation of malicious tweets:

Koobface.DU.worm | Visual Twitter Representation