Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Koobface Infecting Computers Now Modifies DNS Registry

Researchers at Trend Micro have issued an alert that TROJ_DNSCHANG.UB, a Koobface virus that infects Facebook users, could now alter the Domain Name Server (DNS) registry of affected computers. The DNS registry relates to a mechanism whereby a PC can determine the location of particular websites.

The TROJ_DNSCHANG.UB malware relies on an ordinary propagation technique in which social-networking websites' members receive a message apparently from a friend along with a video link to an unfamiliar site. However, when end-users try to run the movie, an instruction pops up asking them to update Flash Player. Moreover, no update becomes available; instead the Koobface virus gets planted on the PC.

Subsequently, the Koobface virus downloads a file (dns.exe) that is chiefly designed to change the DNS registry of the system.

This is attained through the insertion of, an Internet Protocol address of the malicious DNS server, into DhcpNameServer's and NameServer's values that exist in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters\Interfaces\{Device ID} registry key.

Additionally, once the DNS modification is completed, the domain name pertaining to the website is resolved via a query to the malicious DNS that produces a corrupt IP, which characteristically diverts the unwary user to a phishing site.

The researchers stated that instead of employing an alphabetical URL, the DNS employed IP addresses for locating websites. But if modifications are made to the DNS registry, then end-users could be redirected to a wrong website.

However, the corrupt IP address to which the Koobface virus connected is presently in deactivate stage, reports Trend Micro. Nevertheless, Ryan Flores (Trend Micro researcher) warns that since the malicious DNS IP hosted malicious pages and malware, it is possible that anytime it becomes active again, anything other than good will only happen.

The experts suggested that if anyone suspected himself being infected by Koobface, then he should take his computer on safe mode before executing on it a complete scan using an up-to-date AV.

Furthermore, security company Kaspersky in June 2009 reported of detecting a fresh Koobface variant, which the firm counted as the 25 millionth malware in its anti-virus records.

Related article: Koobface Worm Still Active on Facebook Through Hacked Accounts

ยป SPAMfighter News - 7/16/2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page