Home / malwarePDF  

Backdoor:Win32/Afcore.Q


First posted on 28 May 2009.
Source: SecurityHome

Aliases :

Backdoor:Win32/Afcore.Q is also known as Also Known As:Win32/Tnega.DT (CA), Trojan.Win32.Agent2.gow (Kaspersky), CoreFlood.dll (McAfee), Trj/Zlob.HK (Panda), Troj/Virtum-Gen (Sophos), Backdoor.Coreflood.C (Symantec).

Explanation :

Backdoor:Win32/Afcore.Q is a trojan that allows remote access of the affected computer. An attacker could send instructions to perform actions such as capture passwords and attack other computers.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed Antivirus software may be the only symptom(s).

Backdoor:Win32/Afcore.Q is a trojan that allows remote access of the affected computer. An attacker could send instructions to perform actions such as capture passwords and attack other computers.

Installation
Backdoor:Win32/Afcore.Q is installed by TrojanDropper:Win32/Afcore.C. When the installer trojan is run, it drops the following files: %TEMP%<random name>.dll - Backdoor:Win32/Afcore.Q<system folder><random name>.dil - Backdoor:Win32/Afcore.Q<system folder><random name>.dat - data file<system folder><random name>.dat - data file<system folder><random name>.dat - data file The dropped DLL in the %TEMP% folder is executed. The registry is modified to run the DLL at each Windows start. Adds value: "(default)"With data: <random name without extension>To subkey: HKLMSoftwareClassesCLSID{<random UUID>} Adds value: "(default)"With data: "<system folder><random name>.dll"To subkey: HKLMSOFTWAREClassesCLSID{<random UUID>}InprocServer32 Adds value: "(default)"With data: "{<random UUID>}"To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer
ShellIconOverlayIdentifiers<random name without extension> After installing Backdoor:Win32/Afcore.Q, TrojanDropper:Win32/Afcore.C deletes itself by executing instructions within a command shell (cmd.exe). The DLL is then injected into the memory space of Explorer.exe in order to hide itself and bypass firewalls.

Payload
Allows Remote Access & ControlBackdoor:Win32/Afcore.Q opens a TCP port and awaits commands from an attacker. An attacker could send command instructions such as capture passwords and attack other computers.

Analysis by Vincent Tiu

Last update 28 May 2009

 

TOP