TWR11.EXE is worm Koobface

September 2, 2011 by NightWatcher
Filed under: Worm 
: Solved!

You should Download Removal Tool here...

The file TWR11.EXE is a computer worm.
The worm TWR11.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the TWR11.EXE problem as soon as possible!
Delete the file TWR11.EXE from all infected computers in your network.
Set up your network firewall against TWR11.EXE intervention.

Malware Analysis of TWR11.EXE
Full path on a computer: %Temp%\twr11.exe

Detected by UnHackMe:

Item Name: twr
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\TWR11.EXE
Type: Registry Run

Item Name: twr11.exe
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\TWR11.EXE
Type: Running Processes

Item Name: stldr
Author: Windows Service
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\STLDR1.EXE
Type: Registry Run

Item Name: lolsb
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\LOLSBM2.EXE
Type: Registry Run

Item Name: stldr1.exe
Author:
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\STLDR1.EXE
Type: Running Processes

Item Name: lolsbm2.exe
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\LOLSBM2.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

TWR11.EXE is known as:

Worm.Koobface

TWR11.EXE hash:

  • MD5: 5aa8227ce157d51580d79b86e0c0f718
  • SHA1: 37e7bc94c3085547d3a9f1f8c498e06edc5c11ed
How to quickly detect TWR11.EXE presence? 

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\stldr: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\stldr1.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\twr: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\twr11.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lolsb: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lolsbm2.exe”
Files:
  • %Temp%\123.tmp
  • %Temp%\fc2blog3.exe
  • %Temp%\ffreg1.exe
  • %Temp%\ftppost2.exe
  • %Temp%\gmreg2.exe
  • %Temp%\lolsbm2.exe
  • %Temp%\stldr1.exe
  • %Temp%\tum1.exe
  • %Temp%\twr11.exe
  • %Temp%\tx1.tmp
  • %Temp%\tx2.tmp
  • %Temp%\tx3.tmp
  • %Temp%\tx4.tmp
  • %Temp%\tx5.tmp
  • %Temp%\tx6.tmp
  • %Temp%\tx7.tmp


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Koobface, TWR11.EXE, Worm

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.