BKDR_AFCORE
Afcore, Coreflood, Kunhitta, Tirnod
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
POSADOR, also known as CoreFlood, is a botnet known for stealing users’ financial and personal identifiable information. In 2011, this botnet was reportedly taken down with the help of Federal Bureau of Investigation (FBI) and U.S. Department of Justice.
This malware is also used to drop and execute a backdoor on the infected system thus enabling remote attackers to have full control of the systems.
TECHNICAL DETAILS
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\CLSID\{CLSID}
@ = "{random}"
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
InprocServer32
@ = "%System%\{random}.ocx"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}
@ = "{random}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}\InprocServer32
@ = "%System%\{random}.ocx"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{random}
@ = "{CLSID}"
It adds the following registry keys as part of its installation routine:
HKEY_CLASSES_ROOT\CLSID\{CLSID}
HKEY_CLASSES_ROOT\CLSID\{CLSID}\
InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{CLSID}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{random}
Dropping Routine
This backdoor drops the following files:
- %System%\{random}.dat
- %System%\{random1}.dat
- %System%\{random2}.dat
- %System%\{random3}.dat
- %System%\{random}.ocx
- %User Temp%\{random}.dll
- %User Temp%\{random}.tmp
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)