Removing the Koobface Worm (WORM/Koobface.bgn)

I came across this facebook worm for the first time today… It’s seems that more and more facebook users get their account hacked and then somebody posts links to malicious sites on the walls of their friends.

Unsuspecting friends then install updates to the ‘Flash Player’ or what-have-you and BANG!

In this instance the removal seems easy enough:

  1. Get a list of suspicious processes (HiJackThis can help). In this instance we have:
    And lots of files in:
    C:Documents and Settings[USER]Local SettingsTemp
  2. I got myself a Linux Live CD (ubuntu) and booted into this live version
  3. I started deleting the files above
  4. I rebooted into save mode (press f8 just after BIOS message)
  5. When Windoze started, I went into the registry (press WinKey + r and enter ‘regedit’) and deleted the referring keys in:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun

Restarted and prayed 🙂

But it seems to have worked, cause I don’t see any suspicious process in HiJackThis anymore.

Author: Chris A. Matenaers

Working in Digital Marketing, strong liberal world-views & privacy advocate. My hobbies are scuba-diving and coding. I'm also a huge Star Wars fan.

Leave a Reply

Your email address will not be published. Required fields are marked *