BKDR_AFCORE.HC

This backdoor arrives as a component bundled with malware/grayware packages. It may be unknowingly downloaded by a user while visiting malicious websites.

It is a component of other malware. It may be injected into processes running in memory.

It executes commands from a remote malicious user, effectively compromising the affected system.

It requires its main component to successfully perform its intended routine.

Arrival Details

This backdoor arrives as a component bundled with malware/grayware packages.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following non-malicious files:

• %System%\{random file name 1}.dat
• %System%\{random file name 2}.dat
• %System%\{random file name 3}.dat
• %System%\{random file name 4}.dat
• %Current%\{malware file name}.dat

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

• %System%\{random file name 3}.ocx

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{random characters}
• Local\{random characters}

It is a component of other malware.

It may be injected into processes running in memory.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
(Default} = "{malware path and file name}"

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
(Default) = "%System%\{random file name 3}.ocx"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{malware filename}
DllName = {malware path and filename}

Other System Modifications

This backdoor adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{malware file name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{random file name 3}

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• ADDTO
• DELCOOKIES
• DELFROM
• DISKFLOOD
• DISKUNFLOOD
• EXPORT
• IPHLP
• IPHLPA
• IPHLPF
• LISTCOOKIES
• LSTWND
• MULTICAST
• PERFRM
• RESOLVE
• RESPAWN
• RESTART
• RMOLD
• RUNDLL
• SETCOOKIE
• SETRADIUS
• SETRANGE
• SETSP
• SETSP3
• SETSTR
• SETWND
• SHUTDOWN
• STATS
• UNFREEZE
• UNIFORG
• UNINSTALL

Other Details

This backdoor requires its main component to successfully perform its intended routine.

NOTES:

This file is a component of another malware that may be used to log user activities on the system.

It may attach itself to the following processes:

• *\explorer.exe
• *\intern*\iexplore.exe
• *\firefox.exe
• *\chrome.exe
• *\opera.exe
• *\outlook.exe
• *\outloo*\msimn.exe

It monitors the browsing activities of the user and gathers information entered in websites with the following strings:

• *.nhs.net/*
• *.nhs.uk/*
• *.hilton.*
• *.yahoo.*
• *.google.*

This backdoor connects to the following server via HTTP POST using TCP port 80 to wait for commands coming from a remote user:

• {BLOCKED}ocker.antrexhost.com

It logs the gathered information to one of the dropped .DAT files.

It performs the following actions after a connection is established:

• Open, create, rename, delete files/registries
• Scan drives
• Shutdown affected machine
• Shutdown, restart, or respawn itself
• Terminate processes