Koobface Still Causing Problems for Facebook Users
The KoobFace worm is still causing troubles in the wild. The picture below shows a malicious link which spreads through popular social networks. The link is sent from a trustworthy source (friends) inside the social network. A majority of users will most likely check it out.
If users choose to click the link, they'll be redirected to a malicious download site.
This site is constructed in a “phishing manner”. The malware authors use a reliable Facebook interface to entice users to download an upgrade of flash player in order to watch a non-existant video, as the picture above shows.
The next step in the social engineering chain is the download of a file called setup.exe. This is the “parent file” for the Koobface infection. The worm will download and install additional malicious files without the user's consent. After a few minutes, unexpected browser windows will be opened. The malware authors want to bring in money by pushing the user to install and purchase a fake anti-virus solution.
The KoobFace infection also drops a file called DDnsFilter.dll which redirects and controls the traffic. It lets users surf on google.com but blocks access to security sites like lavasoft.com and kaspersky.com, as the picture below shows. This functionality is built-in to actively prevent users from being able to clean the infection.
The bottom line: don’t trust links on social networks, even if they're sent by your best friend. Be especially cautious if the link leads to download a file with a .exe extension, which is considered suspicious behavior. Lavasoft Malware Labs detects this worm under the name Win32.Worm.KoobFace.
Albin
Lavasoft Malware Labs
Subscribe to Blog
Categories
- Beta Testing (1)
- Comment (10)
- Definition File Updates (1452)
- EULA (1)
- Everyday Life at Lavasoft (1)
- How to (7)
- Industry and Security News (12)
- Lavasoft Products (2)
- Law Enforcement and Legal Action (3)
- News about Lavasoft (5)
- Phishing (1)
- Researcher Comments (8)
- Riff Raff (1)
- Rogues (107)
- Security Alert (118)
- Security Alerts (10)
- Security Tips (22)
- Zlob (3)
Archives
- February 2012 (25)
- January 2012 (32)
- December 2011 (26)
- November 2011 (30)
- October 2011 (23)
- September 2011 (30)
- August 2011 (38)
- July 2011 (44)
- June 2011 (45)
- May 2011 (46)
- April 2011 (41)
- March 2011 (50)
- February 2011 (42)
- January 2011 (40)
- December 2010 (43)
- November 2010 (47)
- October 2010 (52)
- September 2010 (40)
- August 2010 (40)
- July 2010 (45)
- June 2010 (42)
- May 2010 (43)
- April 2010 (40)
- March 2010 (37)
- February 2010 (31)
- January 2010 (37)
- December 2009 (42)
- November 2009 (31)
- October 2009 (27)
- September 2009 (24)
- August 2009 (28)
- July 2009 (28)
- June 2009 (28)
- May 2009 (26)
- April 2009 (35)
- March 2009 (15)
- February 2009 (20)
- January 2009 (15)
- December 2008 (13)
- November 2008 (17)
- October 2008 (11)
- September 2008 (18)
- August 2008 (10)
- July 2008 (16)
- June 2008 (14)
- May 2008 (14)
- April 2008 (13)
- March 2008 (14)
- February 2008 (12)
- January 2008 (13)
- December 2007 (8)
- November 2007 (12)
- October 2007 (12)
- September 2007 (10)
- August 2007 (13)
- July 2007 (11)
- June 2007 (8)
- May 2007 (10)
- April 2007 (9)
- March 2007 (13)
- February 2007 (12)
- January 2007 (11)
- December 2006 (12)
- November 2006 (11)
- October 2006 (7)
- September 2006 (1)
Adaware was able to zap the
Adaware was able to zap the Trojan that left the problems - but my computer will not allow me to delete the DDNS.DLL file. (And as a result I can't access any websites and can't get virus/spyware updates!). How can I delete this file, other than going into DOS mode and deleting the file the old fashioned way.
I have just contributed to the MyLavasoft community.
Hi arletta ! Which version of
Hi arletta !
Which version of Ad-Aware do you run? DDNS.DLL should be able to remove with Ad-Aware's "bootscan" . You may have to restart your system to remove the malicous file.
Thanks
Albin
Lavasoft Malware Labs