The Koobface malware uses an infected machine to create a malicious Google Reader page almost entirely automatically, according to a blog post by Webroot researcher Andrew Brandt.
Poisonous Google Reader pages have been around for some time, Brandt said, but this is the first time that he has been able to watch the Koobface malware in action as it creates them.
Upon infecting a computer, Koobface runs four programs, he said. The first malware component checks the user's browser cookies to see if they already own a Google account. If not, the second Koobface element creates a new account. A third program persuades the user to solve the necessary captcha presented by Google by presenting it in the form of a Windows login, while the final program in the malware arsenal creates the Google Reader page containing the malicious code and passes that informatoin to the worm.
The Google Reader page created by the Koobface malware carries a link to a fake video that claims it requires a new version of Flash Player to work. Downloading and installing the program infects the machine with the malware.
Koobface also uses its traditional distribution medium - social networks - to lure others to view the Google Reader page. The malware posts links to the malicious page on social netwoks including Facebook.