Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









Knob Face (or Koobface) Trojan Worm Virus Warning Message

Outline
Message spreading via Facebook warns about a "trojan worm virus" called Knob Face or Koobface and advisers recipients to avoid adding a user called "Smartgirl 15". It also warns users to watch out for links labeled "Barack Obama Clinton scandal".

Koobface Warning Hoax

© Depositphotos.com/Dean Bertoncelj



Brief Analysis
This warning is inaccurate and highly misleading. The warning is apparently derived from concerns about a genuine security threat known as Koobface. However, because this message contains so much false and misleading information, it is in no way a valid warning about Koobface. Sending on the message will do nothing more than confuse users and diffuse the usefulness of genuine computer security warnings. If you receive this message, please do not repost it to others.

Bookmark and Share

Examples
THERE IS A VIRUS SPREADING LIKE WILDFIRE ON FB. IT IS A TROJAN WORM VIRUS CALLED KOOBFACE. IT WILL STEAL YOUR INFO,INFEST YOUR SYSTEM AND SHUT IT DOWN. DO NOT OPEN THE LIKNK (BARACK OBAMA CLINTON SCANDAL) FACEBOOK USERS DO NOT ADD HER!!! IF SOMEBODY CALLED "SMARTGIRL 15", ADDS YOU DON'T ACCEPT IT... IT'S A VIRUS. IF SOMEBODY ON UR LIST ADDS THEM, U GOT THE VIRUS TOO. COPY AND PASTE AND PLEASE REPOST

ATTENTION!!!!!!-Virus spreading like wildfire on Facebook!!

It is a Trojan worm called "Knob Face". It will steal your info, invade your system and shut it down! DO NOT open the link "Barack Obama Clinton scandal". If "Smartgirl 15" adds you, don't accept it; it is a virus. If somebody on your list adds her then you will get the virus, too!! Copy and paste to your wall please!!

Detailed Analysis
This warning message has circulating rapidly around Facebook in various forms since mid-2010. According to the message, a "trojan worm virus" by the name of "Knob Face" is "spreading like wildfire" on Facebook. A later variant changed the name from "knob face" to Koobface. The message warns Facebook users not to open links about a supposed "Barack Obama Clinton scandal". It also warns users not to add a user named "Smartgirl 15" to their contact list.


Supposedly, "Smartgirl 15" is actually a virus and adding "it" to your contact list will infect your computer along with the computers of all your contacts.

However, this warning contains false information and is highly misleading. The warning is apparently a mutated and invalid derivative of warnings concerning the genuine computer security threat known as "Koobface", an anagram of "Facebook". As noted, some versions of the warning do refer to "Koobface" rather than "Knob Face". However, even those versions that correctly name the threat get the rest of the information so fundamentally wrong that the warning is virtually useless as a means of informing users about the real Koobface worm.

There are no credible reports that suggest that Koobface was ever distributed via links pertaining to a supposed scandal involving Barack Obama and Hilary Clinton. However, it should be noted that a rogue Facebook application titled Barack Obama EXPOSED was at one point luring unsuspecting users via links that supposedly displayed a video about the "Barack Obama-Hillary Clinton Scandal". Clicking the "video" link installed the application, which then spread itself by automatically posting links on Facebook that appeared to have been sent by the person who installed the application. However, while the advice in the message not to open links pertaining to a "Barack Obama Clinton scandal" is worth heeding, this small element of truth does not validate the warning message as a whole. Clicking the "scandal" link installed a rogue application that spammed other Facebook users and may have directed users to malicious websites. However, the link did not install a "trojan worm virus" called Knob Face (or Koobface) nor did it invade your system, steal information and shut down your computer.

In reality, the Koobface worm used a variety of tactics to fool social networkers into downloading malware, not just links pertaining to one particular subject such as a political scandal. Some strains of this worm, which targeted users of Facebook, MySpace, Bebo, and other social networking websites for several years, sent out messages that invite recipients to click a link to view a video. Those who clicked the link were taken to a bogus website that claimed that they must update a plugin or other component in their browser before they could view the video. However, the supposed update actually installed the worm that can login to the user's social networking accounts via information stored in cookies and automatically send more bogus invitations to the user's friends.

Moreover, the information about a supposed virus disguised as a user with the name "Smartgirl 15" has no basis in fact whatsoever. The "Smartgirl 15" warning is just one more in a long line of absurd hoaxes that claim that you can allow a hacker or a virus on to your computer just by adding a specified name to your contact list. From time to time some prankster simply adds a new username or email address to the hoax and sends it on. As the following example reveals, the smartgirl hoax also circulates in a separate message:
ATTENTION*****: ALL FACEBOOK USERS**********...DO NOT ADD HER!!! IF SOMEBODY CALLED " SMARTGRRL15", ADDS YOU, DON'T ACCEPT IT...IT IS A VIRUS. TELL EVERYBODY, BECAUSE IF SOMEBODY ON YOUR LIST ADDS THEM, YOU GET THE VIRUS TOO. COPY AND PASTE AND PLEASE REPOST THIS HAS BEEN CONFIRMED THRU FB...
The supposed threats described in these hoaxes are technically impossible. The messages suggest that just accepting a person as a "friend" on your contact list will give the virus access to your computer along with the computers of everyone else on your list as well. This is total nonsense. The messages imply that the username itself is a virus. This is not possible. To be infected, some sort of file transfer needs to take place. If an account was configured to automatically accept files from a contact list, then it is possible that a virus could be sent by this new and sinister "contact". But even if the virus was sent in this way, the recipient would still have to explicitly open the file before a computer was infected.

Another misleading claim in the "Knob Face" warning is that the "virus" will shut down the infected computer. However, disabling the compromised computer was certainly not the goal of the criminals who distributed the real Koobface. Their goal was to use the infected computer to spread the worm to other users, create ongoing connections with other compromised computers, download other malware components and display advertisements on the compromised computers via hijacked search queries. Thus, these criminals were not about to shut down infected computers and thereby make them inaccessible.

Spreading this garbled and inaccurate "warning" will serve only to spread misinformation and confusion among social network users. Certainly Koobface is real, along with many other security threats that have targeted Facebookers over the last few years. However, the inaccuracies and falsehoods contained in the above message mean that it has no merit or validity as a warning whatsoever and should not be reposted.

Bookmark and Share

Last updated: May 22, 2013
First published: July 14, 2010
By Brett M. Christensen
About Hoax-Slayer

References
Cockeyed 'Knob Face' confusion masks real malware threat
The truth about the Facebook Knob Face worm
Koobface variant worms across social networking sites
Koobface malware makes a comeback
MSN Contact List Virus Hoax
Simon Ashton Email Hacker Hoax
W32.Koobface