CoreFlood

This page shows details and results of our analysis on the malware CoreFlood

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4165 (2001-10-10)

Updated DAT

5996 (2010-05-28)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2003-05-20

Description Modified

2003-11-04

Malware Proliferation

Characteristics

This detection covers multiple versions of a remote access trojan. The trojan is multicomponent in nature, reliant upon EXE and DLL components.

Early variants served to perform a denial of service attack against a remote machine. Latter variants retrieve and install a reasonably sophisticated proxy component - the author's intended name of which is 'AutoProxy'.

The description below is specific to one such variant, reported from the field. This particular variant requires the 4252 DATs (or greater) for detection. Users are recommended to use the latest DATs for optimal detection and cleaning of all variants.

Exact file sizes obviously vary between variants, but the general characteristics described below are consistent.

'Core' Installation

It is likely that this component of the trojan is downloaded to the victim machine via a JavaScript trojan detected as JS/Cisp . This script results in the downloading of a 5,120 byte PE executable (with filename README.TXT).

When the 5,120 byte executable is run, it extracts a DLL from its body, saving it to disk as:

%SysDir%\XXXXXXX.DLL (20,480 bytes)

(where %SysDir% is the Windows System directory, and XXXXXXX represents 7 random characters, e.g. C:\WINDOWS\SYSTEM\AVCXKDM.DLL)

The EXE and the DLL are detected as CoreFlood and CoreFlood.dll respectively by the latest engine/DATs.

Code within the DLL is run via a function call by the executable. The DLL is injected into the memory space of EXPLORER.EXE. In this manner personal firewalls may be bypassed (if EXPLORER.EXE is a "trusted" process).

'Proxy' Installation

An attempt to download (and execute) another binary (the "Proxy" component) is then made. This serves as a HTTP and SOCKS proxy.

If successful, this file is saved to disk as a randomly named (7 characters) EXE. Once again, a DLL is extracted from its body and saved to disk as a similarly named DLL, for example:

%SysDir%\XQRXCCJ.EXE (28,160 bytes)
%SysDir%\XQRXCCJ.DLL (69,632 bytes)

(Differing versions of the proxy component will have differing file sizes of course.)

The following Registry key is set to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"XXXXXXX" = %SysDir%\XXXXXXX.EXE

(where XXXXXXX represents the 7 random characters used for the trojan filenames)

The EXE and the DLL are detected as CoreFlood and CoreFlood.dll respectively by the latest engine/DATs.

As for the "core" component described above, code within the DLL is run via a function call by the executable. Once again the DLL is injected into the memory space of EXPLORER.EXE.

A configuration file is then requested (via HTTP) from a remote server. This file contains text data referencing a URL, IP addresses and other strings that appear to relate to backdoor functionality.

Subsequent HTTP traffic to the URL and IP address specified in the configuration file is observed. Obviously target URLs and IPs can be modified trivially by updating the configuration file.

Symptoms

  • Existence of files and the Registry key detailed above
  • EXPLORER.EXE process attempting to access remote servers unexpectedly

Method of Infection

This trojan is a remote access trojan which (in early variants) serves to deliver a denial of service attack against remote machines. The trojan also retrieves and installs a proxy component (HTTP and SOCKS proxy).

The main functionality of the trojan is within its DLL component, which is called via an EXE loader. The DLL is injected into the EXPLORER.EXE process, in order to bypass personal firewall alerts. A similar mechanism is utilised by the proxy component, which again involves EXE and DLL components, the DLL injected into EXPLORER.EXE.

Removal

All Users:
Use specified engine and DAT files for detection.

Please Note: Due to the nature in which the DLL component of this trojan is injected into the memory space of EXPLORER.EXE, removal from an infected system is complex and requires rebooting into Safe Mode. The following steps should be taken:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
  • Run VirusScan and choose to clean all infected files
  • Restart the computer
Additional Windows ME/XP removal considerations

Variants