Koobface.D Virus Will Hack Your Web Site

A virus called W32.Koobface.D has been making the rounds lately. I know because I got infected last week. Read all about it.

Here are some steps you can take to avoid getting infected by this virus, and some things to minimize the damage even if you DO get infected:

Avoid Infection: Koobface spreads by sending a message to Facebook users with a bit.ly link in it. Click the link and it pops up what appears to be the Facebook video player. It looks real, but it's just a convincing gif fake of this Facebook page. If you click anywhere on this page, you'll launch the virus installer and you'll get infected. Beware any Facebook message with a bit.ly url--you have no idea where it's taking you.

Protect Yourself: Change your DiscountASP.Net password often. Don't let your browser store your username/password--Koobface knows how to find login information that's stored in cookies. It will find your DiscountASP.Net login info and will hack your site.

Check Your Site: Koobface creates a folder on your web site and copies a couple of files there. My folder was named "883" but it's likely to use other folder names. It copies a PHP file and a GIF file (just like the one with the fake Facebook page). Then within an hour of infecting you, Koobface visits your site to check that its files are there (and who knows what else it does if it finds its files in working order!). The first request is to browse the contents of the 883 folder (which my site refused to display). The second attempts to execute the PHP script (which my site simply served up as text and didn't execute).

Koobface isn't the most damaging virus out there. But it's going around. Protect yourself.
Dave

 

Thanks for the info and sorry to hear you were infected.

There's been a couple of these that retrieve username/password from your computer and find out your FTP information for example.

Hope that everyones antivirus updates against this specific virus

 

Is your login information really stored in cookies? I'd be surprised if that was true.

 

FTP login information shouldn't be in a cookie anywhere.

The specific virus he's talking about does read cookie info. But what we see much more commonly lately are viruses that drop keyloggers onto the victim's computer. Most account compromises are done using valid login info, gained by keylogging.

 

Just found out my site had added 4 folders numerical eg 280,440 etc
Each has a check.php, index.php, rw70vnk0nywn.swf, jpg.
Thanks for the info.