Beware of Koobface the social worm

Stephen Withers
Thursday, 04 December 2008 08:15

Your IT - Home IT

No, it's not the villain in the latest slasher movie - Koobface is a social networking worm affecting MySpace and Facebook. But like Jason and Freddie, Koobface refuses to die.

PC Tools' ThreatFire research operation is reporting fresh infections of the Koobface worm.

Originally discovered in mid-2008, members of the Koobface family spread through social networking sites.

They work by sending bogus messages or comments to the infected user's friends.

These texts include links to malicious sites that purport to offer video clips. If visitors follow the link, they are told that they need to install a new version of Flash and are offered an 'updater' which is actually installs malware.

The installer loads backdoors onto the system, which in turn download additional malware. Koobface also modifies the local hosts file to prevent the system accessing major security providers including Trend, Symantec and Sophos.

One of the main clues that the so-called updater was actually Koobface is a dialog that says "Error installing Codec. Please contact support." or "Error installing Flash Update. Please contact support."

Although Koobface was detected by Kaspersky back in late July, it is still active according to ThreatFire.

According to a ThreatFire blog entry, the latest Koobface infections are installing and running a file named bolivar28.exe or similar, and the name of the 'updater' has changed from codecsetup.exe to flash_update.exe.

So be warned: if a site prompts you to install a codec or Flash update, don't take whatever is offered. Go directly to a recognised vendor's site (eg www.adobe.com for Flash) to make sure you get the real deal.