The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.
When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:
This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:
Figure 1. Koobface Script
The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
September 19th, 2009 at 6:24 pm
Help i got the fake av how do i get rid of it i updated from my 08 antivirus plus antispyware to the 2010 version but don’t think that got rid of it. Best buy where i bought everything including their black tie protection 12/2008 informed me today that it ll cost me $200 for them to do it!!!!Can you please tell me how to get rid of it
September 19th, 2009 at 7:10 pm
Tons of people are falling for this. I have seen literally dozens of customers infected with Koobface and whatever flavor of rogue AV/AS is out this week. Looking for the installer for Green AV, SoftSave, and the latest Quick Heal Cleaner.
October 1st, 2009 at 8:30 am
Does killing all IE processes abort over clicking on anything? A button is a button is a button, just cuz it says close, abort, quit or donottinfectme does not mean it will close, abort,quit or notinfectme.