BKDR_AFCORE

POSADOR, also known as CoreFlood, is a botnet known for stealing users’ financial and personal identifiable information. In 2011, this botnet was reportedly taken down with the help of Federal Bureau of Investigation (FBI) and U.S. Department of Justice.

This malware is also used to drop and execute a backdoor on the infected system thus enabling remote attackers to have full control of the systems.

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{CLSID}
@ = "{random}"

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
InprocServer32
@ = "%System%\{random}.ocx"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}
@ = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}\InprocServer32
@ = "%System%\{random}.ocx"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{random}
@ = "{CLSID}"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{CLSID}

HKEY_CLASSES_ROOT\CLSID\{CLSID}\
InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{random}

Dropping Routine

This backdoor drops the following files:

• %System%\{random}.dat
• %System%\{random1}.dat
• %System%\{random2}.dat
• %System%\{random3}.dat
• %System%\{random}.ocx
• %User Temp%\{random}.dll
• %User Temp%\{random}.tmp

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)