Method of Infection
Win32/Coreflood.BS is a DLL file that is usually dropped by other Win32/Coreflood variants and then injected into any of the following processes.
explorer.exe
iexplore.exe
firefox.exe
opera.exe
skype.exe
The trojan creates the following registry entries as a part of its installation routine.
HKCR\CLSID\{Random CLSID}
@ = "{Malware Filename}"
HKCR\CLSID\{Random CLSID}\InprocServer32
@ = "{Malware Path and FileName}"
ThreadingModel = "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{Random CLSID}
@ = "{Malware Filename}"
HKLM\SOFTWARE\Classes\CLSID\{Random CLSID}\InprocServer32
@ = "{Malware Path and FileName}"
ThreadingModel = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\{Malware Filename}
@ = "{Random CLSID}"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = "{Malware Path and FileName}"
Back to top
Payload
Connects to Malicious Servers
Win32/Coreflood.BS connects to the following malicious servers to perform its backdoor routines.
174.120.120.151
blackwizard.myfirstcar.cc
secure.termobite.ws
Downloads Other files
Win32/Coreflood.BS downloads a file from any of the malicious servers mentioned above, and saves it as "avupdate.dat" in the %Temp% folder.
%Temp% is a variable that refers to the Temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ for Windows NT, Windows 2000 and Windows XP. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Analysis by Ricardo Robielos III
Back to top