Troj/CoreFloo-C

Troj/CoreFloo-C
Aliases:
TrojanDropper.Win32.Emaner, CoreFlood.dr, Backdoor.Coreflood

Type : Trojan

Description
Troj/CoreFloo-C is a backdoor Trojan which allows a remote intruder to access and control the computer via IRC channels.
The Trojan arrives as an installation executable with a random filename consisting of 7 characters a-z and an extension of EXE.

When the installation executable is run on Windows 95, 98 or ME (or FAT drives) it drops a DLL to the Windows System folder with a filename consisting of 7 random characters a-z and an extension of DLL.

When the installation executable is run on a Windows NT, 2000 or XP system with an NTFS drive it drops the DLL as an ADS stream associated with the Windows System folder (typically <WINDOWS>\System32). The new ADS stream will also have a random 7-character name with an extension of DLL.

The installation executable then launches the DLL component which adds its pathname to the following registry entry, so that it is run automatically each time Windows is started:

HKLMSoftware\Microsoft\Windows\CurrentVersion\RunOnce
\<random filename> = rundll32 %SYSTEM% <random filename>.dll,Init 1

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\<random filename> = rundll32 %SYSTEM% <random filename>,Init 1

The DLL component injects itself into the EXPLORER process making it invisible in the Task Manager process list.

Troj/CoreFloo-C also has anti-delete functionality which attempts to prevent viral processes from being terminated and resets the above registry entries if they are removed.


http://www.sophos.com/virusinfo/analyses/trojcoreflooc.html