Home > Threats > Koobface

Koobface - Facebook Virus

Posted on 16 January 2010 under Trojans and viruses

1. What is Koobface?

Koobface is a computer worm which is transmitted with a help of Social networking websites such as Facebook.com or Myspace.com. The passing of a virus from one computer to another is carried out via malicious links included in messages, delivered from one user to another, which have been confirmed as friends on the social networking website. The user's computer from which the message has been sent is already infected with Koobface virus. The user itself has nothing to do with it, because all such messages are generated and sent by the virus.

The messages consist of a link pointing to malicious webpage and some text that describes target content. It usually a video link with a text like "i ofund a viideo iwth you in my cammera", "I think I am TOTALLY going to try this out to make some bonus Xmas cash GALEWHER . C0M" or "Paris Hilton Tosses Dwarf On The Street?". After clicking on such link, user will be taken to compromised webpage, which will ask to update Adobe Flash player in order to watch video content. But the victim will be infected with Koobface virus instead of updating video player.

Koobface virus modifies the DNS server in order to ban access to security websites, thus preventing to eliminate the virus. Koobface is bundled with Rogue antivirus installer, which is intended to install fake anti-virus/anti-spyware program on victims machine.

2. How to remove Koobface:

  1. Internet connection might be disabled or Internet browser might be blocked by Koobface, so it won't be possible to download any files to infected computer. In this case please download all files required for Koobface removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Koobface download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Koobface.

  5. Restart the computer to complete Koobface removal procedure.

3. Koobface files:

freddy*.exe, captcha*.dll, ld*.exe, pp*.exe
* - random digit(s)

4. Hijackthis entries:

O4 – HKLM\..\Run: [Captcha7] rundll “C:\Program Files\captcha7.dll”,captcha
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld16.exe
O4 – HKLM\..\Run: [sysfbtray] c:\windows\freddy79.exe
O4 – HKLM\..\Run: [pp] C:\windows\pp12.exe