Koobface is a worm that affects the Microsoft Windows operating system, and is known for targeting the social networking site Facebook to spread via infected wall posts. It was first documented in 2008, but Koobface was at the height of its operations in 2009 and 2010.

While the name suggests that this family uses Facebook to spread, its variants were also known to use other social networking sites like Twitter and Myspace. It uses social engineering to get users to click on a link that appears to lead to a video. The video itself fake but is hosted on a site that imitates YouTube. The site then gets users to install a file to view the video, but the file is actually the malware.


VBInject is a trojan that Koobface uses. It is for certain forms of obfuscated malware. The loader is written in Visual Basic and the malicious code is encrypted. The original file behaves as a loader for the encrypted malicious code, giving the code virtually any purpose.


Koobface is made up of several key components to complete its routine. The components consist of data stealers, downloaders, DNS changers, and others.



Upon execution, this worm sends an HTTP request to its C&C to download a file.

It saves the downloaded file as %Current%\123.tmp, which contains a download link of a torrent file pointing to a Trojanized software. It then uses its dropped uTorrent client to silently download the referenced Trojanized software, leading to the download of several components.

As of writing, the downloaded files are detected as follows:

Note:These are aliases from Trend Micro


It then executes the downloaded files. As a result, malicious routines of downloaded files are exhibited on the system. This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Koobface.av may steal system information and user credentials, download other malware, and open a backdoor on the affected system. Some variants of this malware family have been linked to FAKEAV distributors. Newer variants employed traffic direction systems.


This worm deletes itself after executing some files.

  • WORM_KOOBFACE.X(Trend Micro)


This worm contains errors in its code. This stops it from performing its routines.

  • WORM_KOOBFACE.HQ(Trend Micro)


This is the java script that Koobface uses.

  • JS_KOOBFACE.H(Trend Micro)
  • Worm/Koobface.H(AVG)


Koobface.Skype is similar to some variants (the target application excluded), it is part of the Koobface malware family. Both the malicious code and it was a variant that was first to target Skype. It's author is unknown.

  • Worm/Koobfa-Skype(Virus Database)


OSX/Koobface.A, a Mac version which spreads via social networks such as Facebook, MySpace and Twitter.

  • Worm:OSX/Koobface.A(Microsoft)


This variant attacks Twitter.


This variant attacks:Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.

  • Net-Worm:W32/Koobface.gen(F-Protect)

Other variants

  • Koobface.gen!F
  • Koobface.D