A new Koobface variant is currently spreading in the wild. New variants are not unexpected, but these have an unusual feature: Once the malware is installed on the computer, it locks the windows desktop every so often and forces the user to solve a Captcha – the user has 3 minutes to solve it, else the malware threatens to shut down the computer. It doesn’t actually shut it down though, the message window just stays on the desktop and locks it.

Fig. 1: The new Koobface variant forces the user to solve Captchas.

If the Captcha is entered correctly, the desktop is set free again – but the malware will open another pop up eventually. Avira detects the threat generically as TR/Downloader.Gen – it gets installed into the windows directory and then downloads the actual Koobface malware. Those files get detected as Worm/Koobface.cfm and Worm/Koobface.cci. This isn’t the end of the downloads yet – the Koobfaces download further components, which Avira warns of as TR/Dldr.Small.anlx and TR/PSW.LdPinch.102400D, respectively. Avira users thus are protected from this threat.

Viktor Gräber
Virus Researcher