3/2: Worm_Koobface.AZ Searches For Cookies on Social Networking Sites

Worm_Koobface.AZ may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, it searches for cookies created by social networking Web sites. It then makes a DNS query to check IP addresses that corresponds to remote domains. The said servers can send and receive information about the affected machine. Once connected to the said servers, the remote malicious user may perform certain commands on the affected machine.

Once cookies related to the monitored social networking Web sites are located, it connects to these Web sites using the user login session stored in the cookies. It then navigates through pages to search for the user's friends. If a friend has been located, it sends an HTTP POST request to the server. As a reply, the server sends data which is actually the message to be sent to user's contacts. It then composes a new message containing the data from the server and sends it to the user's friend. The new message contains a link where a copy of this worm can be downloaded.

Technical details can be found at this Trend Micro page.