McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update - April 27, 2009--

Some variants of this threat have been found to be connecting to hilton.xxxxxxhost.com on TCP/80 port. It transfers system information to the remote attacker. It is also found to be accepting following commands from the remote attacker, and execute them on victim's system:

RUNDLL
SETRANGE
ECHO
INFO
EXIT
RESTART
RESPAWN
MOVE
UNINSTALL
MULTICAST
RESOLVE
RUN
NOP
STATS
URL
SETCOOKIE
DELCOOKIES
LISTCOOKIES
LOG
EXPORT
COPY
ADD
INS
DEL
LST
ADDTO
DELFROM
SETSTR
PERFRM
UNFREEZE
RMOLD
OPEN
TIME
RSV
UNIFORG
SETWND
LSTWND
SHUTDOWN
DISKFLOOD
DISKUNFLOOD
SPACE
WND
FIND
SET

This detection is for a dll that is generated by CoreFlood.dr.  The core CoreFlood.dr component will add a dll to the windows system32 directory with a randomly generated name followed by the extension ".dil" (the 'i' is intentional). 

A ShellIconOverlayIdentifier entry is created in the Windows registry using a randomly generated CLSID to allow it to start when the explorer process is started.  The DLL itself is injected into the Windows explorer and iexplore processes.

The functionality of this library includes capabilities for modifications to the system host entries, http communication on port 80, as well as code similar to that of several bots for the purposes of exercising flooding techniques when instructed  to do so.

The following files have been added to the system:

• %SystemDir%\[Random_DLL_Name].dIl

The following registry elements have been created:

• HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
  (default) = %SystemDir%\[Random_DLL_Name].dIl
• HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]\
  (default) = {[Random_CLSID]}

Symptoms

Presence of the files and registry keys listed above.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update - April 27, 2009--

Some variants of this threat have been found to be connecting to hilton.xxxxxxhost.com on TCP/80 port. It transfers system information to the remote attacker. It is also found to be accepting following commands from the remote attacker, and execute them on victim's system:

RUNDLL
SETRANGE
ECHO
INFO
EXIT
RESTART
RESPAWN
MOVE
UNINSTALL
MULTICAST
RESOLVE
RUN
NOP
STATS
URL
SETCOOKIE
DELCOOKIES
LISTCOOKIES
LOG
EXPORT
COPY
ADD
INS
DEL
LST
ADDTO
DELFROM
SETSTR
PERFRM
UNFREEZE
RMOLD
OPEN
TIME
RSV
UNIFORG
SETWND
LSTWND
SHUTDOWN
DISKFLOOD
DISKUNFLOOD
SPACE
WND
FIND
SET

This detection is for a dll that is generated by CoreFlood.dr.  The core CoreFlood.dr component will add a dll to the windows system32 directory with a randomly generated name followed by the extension ".dil" (the 'i' is intentional). 

A ShellIconOverlayIdentifier entry is created in the Windows registry using a randomly generated CLSID to allow it to start when the explorer process is started.  The DLL itself is injected into the Windows explorer and iexplore processes.

The functionality of this library includes capabilities for modifications to the system host entries, http communication on port 80, as well as code similar to that of several bots for the purposes of exercising flooding techniques when instructed  to do so.

The following files have been added to the system:

• %SystemDir%\[Random_DLL_Name].dIl

The following registry elements have been created:

• HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
  (default) = %SystemDir%\[Random_DLL_Name].dIl
• HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]\
  (default) = {[Random_CLSID]}

Symptoms

Symptoms -

Presence of the files and registry keys listed above.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A