KoobFace
Malware - Viruses

It is also known as the Facebook Virus/Worm.

Apart from the information in the video about Koobface removal,
these set of files were found to be created by the different
instances/variations of the Koobface worm

[search your hard disk for bolivar*.exe , kenny*.exe and delete them ]

 These are the files found in different infections of this worm.
  C:\6566533.bat
 C:\Windows\fmark2.dat
 C:\Windows\kenny14.exe
 C:\Windows\bolivar27.exe
 C:\Windows\fmark2.dat 
C:\6566533.bat
 C:\Windows\fmark2.dat
 C:\Windows\kenny15.exe
C:\Windows\bolivar31.exe
 C:\Windows\fm123.dat
 		C:\Windows\bolivar29.exe
 C:\Windows\fmark2.dat

 		 C:\6566533.bat
 C:\Windows\fmark2.dat
 C:\Windows\kenny12.exe
   C:\Windows\bolivar26.exe
 C:\Windows\fmark2.dat		  C:\Windows\bolivar28.exe
 C:\Windows\fmark2.dat  
 C:\653ad216543.bat
 C:\Windows\bolivar22.exe
 C:\Windows\fmark2.dat

 

This is the current information about Koobface infection. There are again several variations

Aliases:     These are some of the aliases
      Net-Worm.Win32.Koobface.ex [Kaspersky Lab]
     W32/Koobfa-Gen [Sophos]
     Trojan-Proxy.Win32.Small [Ikarus]
     packed with: PE_Patch.UPX [Kaspersky Lab]

 Turn off - system restore : The malicious files are saved in the system restore backup. You need to turn system restore off to remove them. You can turn it ON after cleaning the computer. Click here to read more...
 View Hidden Files: You need to enable to view hidden files and folders before  you can search for the virus files and folders. Click here to read more...
 Boot in safe mode: If you are unable to delete the malware files/ folders, try doing it while in windows safe mode. Click here to read more...
 

If you are unable to open Task Manager
Sometimes you are not able to open the task manager, the run command etc. The virus does this. There are free tools to solve this problem.  They are listed here.  Click here to read more...

Delete process/es from Task Manager:  The following process may be found in the task manager. Delete it if found. Click here to read more...
ld02.exe, loader.exe, frmwrk32.exe, mstre15.exe

Delete folders/ files from the hard disk:

%Temp%\loader.exe
%System%\frmwrk32.exe
%Windir%\ld02.exe
%System%\uniq.tll
(%Windir% is the Windows installation folder. By default, this is C:\Windows or C:\Winnt.)
%System% is the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)

 (For deleting files in the temp folder, running CCleaner will be useful.It is a freeware temp files/ registry cleaner. Click here to read more...)

 Chages in the registry:  You can edit the registry by using the windows built in registry editor. Click here to read more...

Variation1:  see report

  • The following Registry Keys were deleted:
    • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
    • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
    • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default
  • The newly created Registry Value is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • sysldtray = "%Windir%\ld02.exe"

      • so that ld02.exe runs every time Windows starts
  • The following Registry Values were deleted:
    • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default]
      • (Default) = "%SystemRoot%\media\Windows XP Start.wav"
    • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
      • (Default) = "%SystemRoot%\media\Windows XP Start.wav"
    • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating]
      • (Default) = ""
Variation2:   see report
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • The following Registry Keys were deleted:
    • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating
    • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
    • HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
      • NoChangingWallpaper = 0x00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
      • NoSetActiveDesktop = 0x00000001
      • NoActiveDesktopChanges = 0x00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • Framework Windows = "frmwrk32.exe"
      • sysldtray = "%Windir%\ld02.exe"

      • so that frmwrk32.exe runs every time Windows starts
      so that ld02.exe runs every time Windows starts
    • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
      • Wallpaper = "%System%\ahtn.htm"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
      • NoSetActiveDesktop = 0x00000001
      • NoActiveDesktopChanges = 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
      • NoChangingWallpaper = 0x00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      • DisableTaskMgr = 0x00000001

      • to prevent users from starting Task Manager (Taskmgr.exe)
  • The following Registry Values were deleted:
    • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default]
      • (Default) = "%SystemRoot%\media\Windows XP Start.wav"
    • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
      • (Default) = "%SystemRoot%\media\Windows XP Start.wav"
    • [HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating]
      • (Default) = ""
    • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
      • Wallpaper = ""
  • The following Registry Value was modified:
    • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
      • WallpaperLocalFileTime = 00 C0 DC F1 BC FF FF FF
Variation3: Please see link

 

 Run System File Checker: This is a built in utility in windows, it scans the computer for any altered/ deleted windows system files and replaces them with original files automatically. Click here to read more...

 Using Firewall: It will be helpful if you have a firewall so that you can block the malicious communication of the malware.

 reference with permission from threat expert
Comments
Add New Search
Write comment
Name:
Email:
 
Title:
 

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."

< Prev   Next >
 
Privacy Policy