Virus Profile: CoreFlood.dr

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 11/24/2004
Date Added: 4/15/2004
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Dropper
DAT Required: 4292
Removal Instructions
   
 
 
   

Description

-- Update Oct 30, 2009 --
Some new variants of this threat have been observed using a slightly different naming convention for the dropped files.  The previously named [Random_DLL_Name].dIl  is now named[Random_DLL_Name].ocx

The malicious code is injected into the following processes

  • explorer.exe
  • iexplore.exe
  • firefox.exe
  • opera.exe
  • skype.exe

Some variants of this threat have been found to be connecting to the domain names containing the following using TCP port 80:

  • [Removed].nhs.net/[Removed]
  • [Removed].nhs.uk/[Removed]
  • [Removed].hilton.[Removed]
  • [Removed].yahoo.[Removed]
  • [Removed].google.[Removed]

-- Update July 02, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.pcworld.idg.com.au/index.php/id;990723355;fp;2;fpid;1
--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • New files dropped on the target machine
  • Network activity as described.

Methods of Infection

This trojan dropper serves only to drop and execute other files on the target system. It does not self-replicate. Likely distribution channels for this trojan include via IRC, via peer-to-peer file-sharing networks, as an attachment in newsgroup postings or email, etc. The file is likely to be named in order to entice the victim to run it (eg. NEW_YEAR.EXE)

Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems. .

   

Virus Characteristics

-- Update - November 6, 2008--

Some variants of this threat have been known to contact the following using port 80:

  • avupdate.net
  • mcupdate.net

It can receive commands for example : to download and execute other malware, to log and steal information, update itself, flooding etc.

This trojan has mostly been known to spread using browser exploits. Sometimes, It has also been known to be downloaded by other malware which typically use psexec.exe to install it on other machines.

-- Update - June 24, 2008--

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

A new version of Coreflood trojan by the name "wmedia106.exe" has been found. The trojan on execution drops a DLL file in the %SystemDir% which hooks into explorer.exe.

The dropped DLL name varies per installation of the trojan. In the following description we assume the random name for the DLL as "[Random_DLL_Name]"

The following files have been added to the system:

  • %SystemDir%\[Random_DLL_Name].dat
  • %SystemDir%\[Random_DLL_Name].dIl
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat
  • %SystemDir%\[Random Name].dat

    The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\software\classes\clsid\{[Random_CLSID]}\InprocServer32
    • (default) = %SystemDir%\[Random_DLL_Name].dIl
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\[Random_DLL_Name]\
    • (default) = {[Random_CLSID]}

    -- Update - December 28, 2004--

    A variant of this dropper trojan has been discovered which is download via an HTA file (which is named My.hta and is detected with the current DAT files as VBS/Psyme ) that is believed to be used in conjunction with a recent Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability exploit.

    This detection is for trojan dropper files which drops the Coreflood trojan.

    The dropper files serve only to drop and execute other files on the target machine. When run, this is exactly what they do - the dropper itself does not necessarily install on the victim machine.

       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations