Home / malware Backdoor:Win32/Afcore.BB
First posted on 23 December 2013.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Afcore.BB.
Explanation :
Threat behavior
Installation
Backdoor:Win32/Afcore.BB is installed by Backdoor:Win32/Afcore. When the installer trojan is run, it drops the following files:It modifies the following registry entries so that the DLL in the %TEMP% folder runs each time you start your PC: In subkey: HKLM\Software\Classes\CLSID\{
- %TEMP% \
.dll - Backdoor:Win32/Afcore.BB \ .dll - Backdoor:Win32/Afcore.BB \ .dat - data file \ .dat - data file \ .dat - data file }
Sets value: "(default)"
With data:In subkey: HKLM\SOFTWARE\Classes\CLSID\{ }\InprocServer32
Sets value: "(default)"
With data: "\ .dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\
Sets value: "(default)"
With data: "{}" After installing Backdoor:Win32/Afcore.BB, Backdoor:Win32/Afcore deletes itself by running instructions within a command shell (cmd.exe). The DLL is then injected into Explorer.exe to hide itself and bypass firewalls.
Payload
Allows remote access and control
Win32/Afcore.BB opens a TCP port and awaits commands from a hacker. A hacker can tell the trojan to capture passwords and attack other computers.
Analysis by Andrei Florin Saygo Symptoms
Alerts from your security software may be the only symptom.
Last update 23 December 2013
