Content

CoreFlood.dr

Type
Trojan
SubType
Dropper
Discovery Date
11/24/2004
Length
Varies
Minimum DAT
4292 (09/10/2003)
Updated DAT
5666 (07/04/2009)
Minimum Engine
5.1.00
Description Added
04/15/2004
Description Modified
11/06/2008 5:18 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update - November 6, 2008--

Some variants of this threat have been known to contact the following using port 80:

  • avupdate.net
  • mcupdate.net

It can receive commands for example : to download and execute other malware, to log and steal information, update itself, flooding etc.

This trojan has mostly been known to spread using browser exploits. Sometimes, It has also been known to be downloaded by other malware which typically use psexec.exe to install it on other machines.

-- Update - June 24, 2008--

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

A new version of Coreflood trojan by the name "wmedia106.exe" has been found. The trojan on execution drops a DLL file in the %SystemDir% which hooks into explorer.exe.

The dropped DLL name varies per installation of the trojan. In the following description we assume the random name for the DLL as "[Random_DLL_Name]"

The following files have been added to the system:

  • %SystemDir%\[Random_DLL_Name].dat
  • %SystemDir%\[Random_DLL_Name].dIl
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat

    The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
    • (default) = %SystemDir%\[Random_DLL_Name].dIl
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]\
    • (default) = {[Random_CLSID]}

    -- Update - December 28, 2004--

    A variant of this dropper trojan has been discovered which is download via an HTA file (which is named My.hta and is detected with the current DAT files as VBS/Psyme ) that is believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

    This detection is for trojan dropper files which drops the Coreflood trojan.

    The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself does not necessarily install on the victim machine.

    Symptoms

    • New files dropped on the target machine
    • Network activity as described.

    Method of Infection

    This trojan dropper serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE)

    Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems. .

    Removal

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    -- Update July 02, 2008 --
    The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
    http://www.pcworld.idg.com.au/index.php/id;990723355;fp;2;fpid;1
    --

    This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

    Characteristics

    Characteristics -

    -- Update - November 6, 2008--

    Some variants of this threat have been known to contact the following using port 80:

    • avupdate.net
    • mcupdate.net

    It can receive commands for example : to download and execute other malware, to log and steal information, update itself, flooding etc.

    This trojan has mostly been known to spread using browser exploits. Sometimes, It has also been known to be downloaded by other malware which typically use psexec.exe to install it on other machines.

    -- Update - June 24, 2008--

    These are general defaults for typical path variables. (Although they may differ, these examples are common.):
    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

    A new version of Coreflood trojan by the name "wmedia106.exe" has been found. The trojan on execution drops a DLL file in the %SystemDir% which hooks into explorer.exe.

    The dropped DLL name varies per installation of the trojan. In the following description we assume the random name for the DLL as "[Random_DLL_Name]"

    The following files have been added to the system:

  • %SystemDir%\[Random_DLL_Name].dat
  • %SystemDir%\[Random_DLL_Name].dIl
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat

    The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
    • (default) = %SystemDir%\[Random_DLL_Name].dIl
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]\
    • (default) = {[Random_CLSID]}

    -- Update - December 28, 2004--

    A variant of this dropper trojan has been discovered which is download via an HTA file (which is named My.hta and is detected with the current DAT files as VBS/Psyme ) that is believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

    This detection is for trojan dropper files which drops the Coreflood trojan.

    The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself does not necessarily install on the victim machine.

    Symptoms

    Symptoms -

    • New files dropped on the target machine
    • Network activity as described.

    Method of Infection

    Method of Infection -

    This trojan dropper serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE)

    Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems. .

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A