Home / malware Backdoor:Win32/Afcore.gen!B
First posted on 06 July 2009.
Source: SecurityHomeAliases :
Backdoor:Win32/Afcore.gen!B is also known as Also Known As:Win32/Coreflood.BD (CA), Backdoor.Afcore.GGG (VirusBuster), Backdoor.AFCore.CW (BitDefender), Win32/Afcore.NAF (ESET), CoreFlood.dr.gen (McAfee).
Explanation :
Backdoor:Win32/Afcore.gen!B is a generic detection for a family of backdoor trojan that connects to a remote server to retrieve commands that it executes on the system. It usually arrives with a dropper component that modifies the system so that the dropped backdoor is injected into a legitimate Windows process.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Backdoor:Win32/Afcore.gen!B is a generic detection for a family of backdoor trojan that connects to a remote server to retrieve commands that it executes on the system. It usually arrives with a dropper component that modifies the system so that the dropped backdoor is injected into a legitimate Windows process.
Installation
Upon execution, Backdoor:Win32/Afcore.gen!B drops the following files:
%TEMP%<random string 1>.dll - detected as Backdoor:Win32/Afcore.gen!B
<system folder><random string 2>.dil - also detected as Backdoor:Win32/Afcore.gen!B
<system folder><random string 3>.dat - data file
<system folder><random string 4>.dat - data file
<system folder><random string 5>.dat - data file
<system folder><random string 6>.dat - data file Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. For example: %TEMP%gnfl.dll - detected as Backdoor:Win32/Afcore.gen!B
<system folder>iaspojcy.dil - also detected as Backdoor:Win32/Afcore.gen!B
<system folder>iaspojcy.dat - data file
<system folder>comrspl.dat - data file
<system folder>kbdmlv47.dat - data file It registers the dropped DLL file so that it runs every time Windows starts: Adds value: "(default)"
With data: "<random string 1 with no extension>"
To subkey: HKLMSoftwareClassesCLSID{<random UUID>}
Adds value: "(default)"
With data: "<system folder><random string 1>.dil"
To subkey: HKLMSOFTWAREClassesCLSID{<random UUID>}InprocServer32
Adds value: "(default)"
With data: "{<random UUID>}"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers<random string 1 without extension> For example: Adds value: "(default)"
With data: "iaspojcy"
To subkey: HKLMSoftwareClassesCLSID{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}
Adds value: "(default)"
With data: "<system folder>iaspojcy.dil"
To subkey: HKLMSOFTWAREClassesCLSID{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}InprocServer32
Adds value: "(default)"
With data: "{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiersiaspojcy Backdoor:Win32/Afcore.gen!B restarts 'Explorer.exe' so that the malicious DLL file is loaded into its memory space.
Payload
Performs backdoor functionality Backdoor:Win32/Afcore.gen!B opens a TCP port and waits for commands from a remote attacker. An attacker could send commands such as capture passwords and attack other computers.
Analysis by Jireh SanicoLast update 06 July 2009
