Hi! 😊

Sign in Subscribe

Koobface Virus

maddy

4 min read
What Is It?
Computer hackers are targeting the 120 million users of the social networking site Facebook with the ‘Koobface’ virus, which takes control of a PC’s internet searches and can steal sensitive personal information.

Koobface is a virus that mainly attacks facebook, but has been know to attack sites like Myspace, Twitter, Friendster, Hi5, and Bebo. When the virus gets into the users computer it will start sending itself to other users form your Facbook or other social networking site account you use. After doing this, the worm will then steal credit cards, bank acocunts, and other sensitive data. If you look at koob face you’ll see facebook, koob is book backwords, and the face part is easy.The Koobface worm was first identified in August but it appears to have been altered to hit the social networking site only.

Facebook insisted only a "very small percentage of users" had been affected but in the past day, hundreds of media workers in Boston alone have received infected emails.

he virus spreads by sending enticing messages to Facebook friends with subject headers such as "Look you were filmed all naked!" or "You look just awesome in this movie".

If the recipient clicks on the supplied link, he is taken to a page that looks like the video-sharing website YouTube.

He is then told that he needs to download new software, supposedly the latest version of Adobe Systems Inc’s Flash player, in order to watch the film clip.

The downloaded file contains the virus, which will then infect the computer and take users to contaminated sites when they try to use Google, Yahoo or other search engines.

Recipients of such emails are advised not to install the software. If they have already done so, they need to run an anti-virus programme to remove it.

Facebook has posted limited instructions on removing the virus on its security page. The US company said it was resetting infected passwords and removing malicious messages.

McAfee, a security software firm which first highlighted the virus, said there were dozens of Koobface variants so the "situation is likely to get worse before it gets better".

Its unidentified creators were "updating it, refining it, adding new functionalities", said a McAfee spokesman.

Social network users tend to be less suspicious about messages they receive via the network because it can only be accessed by others who have an account, said Chris Boyd, a researcher with FaceTime Security Labs.

"People tend to let their guard down. They think you’ve got to log in with an account, so there is no way that worms and other viruses could infect them," he said.

Another version of Koobface appeared on the social network MySpace in August but the company said it had not cropped up again after it used security technology to wipe it out.

How Does It Spread?

The main question is "How does it spread?" The worm spreads itself by sending messages from the users account to all their friends. The message usually includes a subject like, "You look stupid in this vid" or "I got you a camera". The link to the video will then bring you to a third party site and it will say you need to update to the latest Adobe Flash Player, and it will ask you to download it, most people will without thinking. Once the worm is installed its called to action.

How Do I Remove It?

The hardest part about Koobface is that it is a polymorphism worm. This means that it will keep changing itself to stay undetected. The best way to remove is use a updated malware cleaner. If you go to the following, there are scanners recommended by Facebook to scan for this worm or any other virus online. This page can be found here. If you don’t want to use a automated program that will remove it for you, even though this is highly recommended, follow these steps.

To remove it manually follow these steps:

1. Click start on the taskbar, and then click "My Computer."

2. Hit F3 and select "All Files and Folders and search "Koobface."

3. Copy the file path of Koobface.

4. Open "Task Manager" this can be done by eithering holding Ctrl+Alt+Del or clicking "Start" and then "Run" and type "taskmgr.exe"

5. You must disable Koobface’s process first.

6. Next you must disable the other following processes

1. %SYSTEMROOT%bolivar28.exe

2. bolivar28.exe

3. che07.exe

4. %WinDir%system32nScanecls.exe

5. %WinDir%system32nScanekrn.exe

6. %WinDir%system32splmncsjapi32.exe

7. %WinDir%bolivar28.exe

8. C:Windowsfbtre6.exe

Now that this is done, it is time to go into the registry and remove this worm.

1. Click "Start" "Run" and type "Regedit"

2. Locate and delete these registry files

1. HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled ComponentsIntelli Mouse Pro Version 2.0BStubPath: "%WinDir% System32splmncsjapi32.exe

2. HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRunOnce*Intelli Mouse Pro Version 2.0B*: "%WinDir% System32splmncsjapi32.exe"

3. HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden: "2"

4. HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRunIntelli Mouse Pro Version 2.0B: "%WinDir% System32splmncsjapi32.exe"

5. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*Intelli Mouse Pro Version 2.0B*: "%WinDir% System32splmncsjapi32.exe"

6. HKEY_USERSSoftwareMicrosoftWindowsnScan32ExecuteDate: "1482008"

7. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun"systray" = "C:Windowsfbtre6.exe"

HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigating

9. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun"systray" = "c:windowsmstre6.exe"

Now we must unregister these dll files in Command Prompt.

1. Click "Start", "Run", and type "cmd"

2. Now locate and the follwing dll files by typing dir and then the following:

1. %WinDir%system32nScanekrnScan.dll

2. %WinDir%system32nScanekrnEpfw.dll

3. %WinDir%system32nScanekrnEmon.dll

4. %WinDir%system32splmlmfunit32.dll

5. %WinDir%system32splmkbdsapi.dll

6. %WinDir%system32nScanekrnAmon.dll

7. %WinDir%system32splmmcaserv32.dll

now that you have the paths for those now we can change it type "cd" then a space and type the dll path for all of those, and hit eneter and now unregister them.

Now unregister each and by using the following format "path+’regsvr32/u’+dll name"

Thats it!, I hope you use a anti-malware software because doing this can harm your computer.

Read more: https://www.brighthub.com/computing/smb-security/articles/44727.aspx#ixzz0WAz6HCJG

Sign up for more like this.

Enter your email
Subscribe
Made with ♡ ♥💕❤ from Mauritius