McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update - July 09, 2010 --

MD5 - E881225BE8989D85729EE0B28412695B
SHA- 3FBC5AB1BCD8938D1527231547D5B5E71137C8FC

Aliases -

PCTools - Backdoor.Coreflood
Sophos - Troj/Inject-NP
Symantec - Backdoor.Coreflood!gen
TrendMicro - TROJ_POSADOR.SMF

“CoreFlood.dll” is a generic detection for backdoor family. It is a dropped content of source file which is detected as CoreFlood.dr. This dll file is injected into a legitimate Windows process to perform backdoor activity.

Upon execution, the Trojan drops the following files

%Systemdrive%\gpedmte.dat [Data file]
%WinDir%\cryphdll.dat [Data file]
%WinDir%\jobexdc.dat [Data file]
%WinDir%\cryptuqx.dat [Data file]

The following registry keys have been added

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\gpedmt

The following registry values have been added

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}\]
  InprocServer32 = "%SystemDrive%gpedmte.ocx"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}\]
  = "gpedmte"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\]
  gpedmte = "{0B4D49EB-425F-AD3A-C258-D29C7653A53A}"

The above mentioned registry key [ShellIconOverlayIdentifier] entry is created in the Windows registry using a CLSID to allow the DLL file to start when the explorer process is started.  This DLL itself is injected into the Windows explorer and iexplore process.

--------------

-- Update - April 27, 2009--

Some variants of this threat have been found to be connecting to hilton.xxxxxxhost.com on TCP/80 port. It transfers system information to the remote attacker. It is also found to be accepting following commands from the remote attacker, and execute them on victim's system:

RUNDLL
SETRANGE
ECHO
INFO
EXIT
RESTART
RESPAWN
MOVE
UNINSTALL
MULTICAST
RESOLVE
RUN
NOP
STATS
URL
SETCOOKIE
DELCOOKIES
LISTCOOKIES
LOG
EXPORT
COPY
ADD
INS
DEL
LST
ADDTO
DELFROM
SETSTR
PERFRM
UNFREEZE
RMOLD
OPEN
TIME
RSV
UNIFORG
SETWND
LSTWND
SHUTDOWN
DISKFLOOD
DISKUNFLOOD
SPACE
WND
FIND
SET

The trojan monitors web accesses containing following strings and gather login credential to online banking sites.

telegraphic
swift
remittance
foreign
iban
s.w.i.f.t
wire
cross-border
memorable
answer
password
passphras
challenge
secur
secret
identifica
firma
clave
codigo
segur
parol

This detection is for a dll that is generated by CoreFlood.dr.  The core CoreFlood.dr component will add a dll to the windows system32 directory with a randomly generated name followed by the extension ".dil" (the 'i' is intentional). 

A ShellIconOverlayIdentifier entry is created in the Windows registry using a randomly generated CLSID to allow it to start when the explorer process is started.  The DLL itself is injected into the Windows explorer and iexplore processes.

The functionality of this library includes capabilities for modifications to the system host entries, http communication on port 80, as well as code similar to that of several bots for the purposes of exercising flooding techniques when instructed  to do so.

-- Update - November 30, 2009--

File Information:

• MD5: 3E6F83CD07FB9868C25A913AC7E3E377
• SHA: 55EC606A9E10DA949588BE26DB60BBDE77D06E2B
• File Size : 1,31,072bytes

Aliases:

• Microsoft : Backdoor:Win32/Afcore.gen!E
• IKarus : Backdoor.Win32.Afcore
• Avira : BDS/Afcore.131072E.1

The following files have been added to the system:

• %SystemDir%\l⌂623070.dll      [Detected as W32/Sality.dll]
• %SystemDir%\m⌂623070.dll    [Detected as W32/Sality.dll]
• %SystemDir%\m⌂623070.dl_   [Detected as W32/Sality.dll]
• %SystemDir%\l⌂623070.dl_     [Detected as W32/Sality.dll]

The above files are the polymorphic virus that infects Win32 PE executable files, Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection by anti-virus software.

The following registry elements have been created:

• HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
  (default) = %SystemDir%\[Random_DLL_Name].dIl
• HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]
  (default) = {[Random_CLSID]}

The above registry key holds the full path to a DLL. So that each COM (Component Object Module) object will be loaded by other applications, when visiting the webpage with browser. That is the CLSID's InProcServer which contains the information about the particular DLL file that is being used.

"ShellIconOverlayIdentifiers" sets the default value to the string form of the CLSID.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista),
%SystemDrive% = Driver in which the Operating System is installed mostly C:\,]

Symptoms

• Presence of the files and registry keys listed above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update - July 09, 2010 --

MD5 - E881225BE8989D85729EE0B28412695B
SHA- 3FBC5AB1BCD8938D1527231547D5B5E71137C8FC

Aliases -

PCTools - Backdoor.Coreflood
Sophos - Troj/Inject-NP
Symantec - Backdoor.Coreflood!gen
TrendMicro - TROJ_POSADOR.SMF

“CoreFlood.dll” is a generic detection for backdoor family. It is a dropped content of source file which is detected as CoreFlood.dr. This dll file is injected into a legitimate Windows process to perform backdoor activity.

Upon execution, the Trojan drops the following files

%Systemdrive%\gpedmte.dat [Data file]
%WinDir%\cryphdll.dat [Data file]
%WinDir%\jobexdc.dat [Data file]
%WinDir%\cryptuqx.dat [Data file]

The following registry keys have been added

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\gpedmt

The following registry values have been added

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}\]
  InprocServer32 = "%SystemDrive%gpedmte.ocx"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B4D49EB-425F-AD3A-C258-D29C7653A53A}\]
  = "gpedmte"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\]
  gpedmte = "{0B4D49EB-425F-AD3A-C258-D29C7653A53A}"

The above mentioned registry key [ShellIconOverlayIdentifier] entry is created in the Windows registry using a CLSID to allow the DLL file to start when the explorer process is started.  This DLL itself is injected into the Windows explorer and iexplore process.

--------------

-- Update - April 27, 2009--

Some variants of this threat have been found to be connecting to hilton.xxxxxxhost.com on TCP/80 port. It transfers system information to the remote attacker. It is also found to be accepting following commands from the remote attacker, and execute them on victim's system:

RUNDLL
SETRANGE
ECHO
INFO
EXIT
RESTART
RESPAWN
MOVE
UNINSTALL
MULTICAST
RESOLVE
RUN
NOP
STATS
URL
SETCOOKIE
DELCOOKIES
LISTCOOKIES
LOG
EXPORT
COPY
ADD
INS
DEL
LST
ADDTO
DELFROM
SETSTR
PERFRM
UNFREEZE
RMOLD
OPEN
TIME
RSV
UNIFORG
SETWND
LSTWND
SHUTDOWN
DISKFLOOD
DISKUNFLOOD
SPACE
WND
FIND
SET

The trojan monitors web accesses containing following strings and gather login credential to online banking sites.

telegraphic
swift
remittance
foreign
iban
s.w.i.f.t
wire
cross-border
memorable
answer
password
passphras
challenge
secur
secret
identifica
firma
clave
codigo
segur
parol

This detection is for a dll that is generated by CoreFlood.dr.  The core CoreFlood.dr component will add a dll to the windows system32 directory with a randomly generated name followed by the extension ".dil" (the 'i' is intentional). 

A ShellIconOverlayIdentifier entry is created in the Windows registry using a randomly generated CLSID to allow it to start when the explorer process is started.  The DLL itself is injected into the Windows explorer and iexplore processes.

The functionality of this library includes capabilities for modifications to the system host entries, http communication on port 80, as well as code similar to that of several bots for the purposes of exercising flooding techniques when instructed  to do so.

-- Update - November 30, 2009--

File Information:

• MD5: 3E6F83CD07FB9868C25A913AC7E3E377
• SHA: 55EC606A9E10DA949588BE26DB60BBDE77D06E2B
• File Size : 1,31,072bytes

Aliases:

• Microsoft : Backdoor:Win32/Afcore.gen!E
• IKarus : Backdoor.Win32.Afcore
• Avira : BDS/Afcore.131072E.1

The following files have been added to the system:

• %SystemDir%\l⌂623070.dll      [Detected as W32/Sality.dll]
• %SystemDir%\m⌂623070.dll    [Detected as W32/Sality.dll]
• %SystemDir%\m⌂623070.dl_   [Detected as W32/Sality.dll]
• %SystemDir%\l⌂623070.dl_     [Detected as W32/Sality.dll]

The above files are the polymorphic virus that infects Win32 PE executable files, Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection by anti-virus software.

The following registry elements have been created:

• HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
  (default) = %SystemDir%\[Random_DLL_Name].dIl
• HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]
  (default) = {[Random_CLSID]}

The above registry key holds the full path to a DLL. So that each COM (Component Object Module) object will be loaded by other applications, when visiting the webpage with browser. That is the CLSID's InProcServer which contains the information about the particular DLL file that is being used.

"ShellIconOverlayIdentifiers" sets the default value to the string form of the CLSID.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista),
%SystemDrive% = Driver in which the Operating System is installed mostly C:\,]

Symptoms

Symptoms -

• Presence of the files and registry keys listed above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A