Just a few hours ago, Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware.

This is in contrast to previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used.

As of writing, there are a couple of hundred Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak.

We advise Twitter users to avoid clicking URLs on tweets, specially if the tweet advertises a home video.

Update 1:

It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend infected user accounts.

Update 2:

Koobface and most of its components can be cleaned by our standalone cleaner Sysclean. You may download Sysclean here.

A worm designed to propagate through email is the main proponent used in the DDoS attacks against high-profile websites in the United States and South Korea.

Detected as WORM_MYDOOM.EA by Trend Micro, it is suspected to have arrived in victims’ inboxes as an attachment to email messages. Upon execution, it registers itself as a system service (like as WMI Performance Configuration or WmiConfig) to ensure execution upon startup. It then drops component files distributed on several infected machines with lists of targets for DDoS.

The worm then gathers email addresses from all files located in the affected system’s Temporary Internet Files folder. It also gathers domain names, and uses them to add more email addresses by prepending the user names such as andrew, brenda, david, and george to the gathered domain names (detailed list can be read here). Additionally, the threat attempts to obtain email server addresses by prepending certain strings to the obtained domain names. Emails with a copy of itself as attachment are sent to the composed addresses through its own SMTP engine. It should be noted, however, that though the code suggests that WORM_MYDOOM.EA propagates through email, we have yet to receive a sample that successfully propagates via email.

Our threat researchers are still analyzing some aspects of this malware, and its components, so we will update this post as necessary as more information becomes available.

Files related to network analysis tools are also deleted in order to prevent the affected user from noticing the heightened network activity caused by the DDoS attack (see Figure 1 for the threat diagram).

The DDoS attack left a number of its target websites inaccessible, which included several of South Korea’s government websites. South Korea is one of the top countries in Asia in terms of Internet usage, with an estimated 36.8 million users.

Users are strongly advised to ignore unsolicited emails to avoid unwillingly partaking in this massive attack.

Updates as of 12 July 2009:

Further analysis by our engineers reveal that WORM_MYDOOM.EA drops a specially crafted .JPG file detected as TROJ_JPEGDRPR.B. Embedded in TROJ_JPEGDRPR.B is an executable detected as WORM_MYDOOM.EB.

WORM_MYDOOM.EB overwrites the Master Boot Record of all drives in the affected system with the string Memory of the Independence Day. It then searches for files with certain file extensions, creates an archive of all found files, then deletes the original files. Found files which are 0-byte (file size is zero) are automatically deleted. The created archive is protected by a random 8-digit password.