Koobface Still Causing Problems for Facebook Users

by Albin on August 19th, 2009 in Security Alert.

The KoobFace worm is still causing troubles in the wild. The picture below shows a malicious link which spreads through popular social networks. The link is sent from a trustworthy source (friends) inside the social network. A majority of users will most likely check it out.

If users choose to click the link, they'll be redirected to a malicious download site.

This site is constructed in a “phishing manner”. The malware authors use a reliable Facebook interface to entice users to download an upgrade of flash player in order to watch a non-existant video, as the picture above shows.

The next step in the social engineering chain is the download of a file called setup.exe. This is the “parent file” for the Koobface infection.  The worm will download and install additional malicious files without the user's consent. After a few minutes, unexpected browser windows will be opened.  The malware authors want to bring in money by pushing the user to install and purchase a fake anti-virus solution.

The KoobFace infection also drops a file called DDnsFilter.dll which redirects and controls the traffic. It lets users surf on google.com but blocks access to security sites like lavasoft.com and kaspersky.com, as the picture below shows. This functionality is built-in to actively prevent users from being able to clean the infection.

The bottom line: don’t trust links on social networks, even if they're sent by your best friend. Be especially cautious if the link leads to download a file with a .exe extension, which is considered suspicious behavior. Lavasoft Malware Labs detects this worm under the name Win32.Worm.KoobFace.


Lavasoft Malware Labs

No votes yet

Adaware was able to zap the

User offline. Last seen 7 years 34 weeks ago.arletta_shenfeld
Joined: 2009-08-26
Posts: 0

Adaware was able to zap the Trojan that left the problems - but my computer will not allow me to delete the DDNS.DLL file. (And as a result I can't access any websites and can't get virus/spyware updates!). How can I delete this file, other than going into DOS mode and deleting the file the old fashioned way.

I have just contributed to the MyLavasoft community.

Hi arletta ! Which version of

User offline. Last seen 6 years 39 weeks ago.Albin
Joined: 2008-12-02
Posts: 0

Hi arletta !

Which version of Ad-Aware do you run? DDNS.DLL should be able to remove with Ad-Aware's "bootscan" . You may have to restart your system to remove the malicous file.



Lavasoft Malware Labs


Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now