Threat behavior
Backdoor:Win32/Afcore.CE is a backdoor trojan that connects to a remote server to retrieve commands from an attacker.
Installation
Backdoor:Win32/Afcore.CE is composed of an executable and a library component. Its executable may arrive in the system with a variety of file names. Some of the file names it has been known to use are the following:
- flashload.exe
- wmedia106.exe
It also drops a randomly named library file in the system, which is also detected as Backdoor:Win32/Afcore.CE. The naming convention it follows for the dropped library file is the following:
- %Temp%\<4 random characters>.dll - for example jpad.dll
- <system folder>\<7 random characters>.dil - for example ddrawea.dil (note that this extension is DIL, rather than DLL)
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then injects the library into the legitimate process "explorer.exe".
The library file then creates a randomly-named data file, which contains a log of its malware routine.
To enable itself to automatically execute every time Windows starts, it registers itself as an icon overlay - a type of image typically used when displaying icons - by adding the following registry entries:
Adds value: "(default)"
With data: "<Malware file name>"
To subkey: HKLM\Software\Classes\CLSID\<Random CLSID>
Adds value: "(default)"
With data: "<system folder>\<Malware file name>.dil (or dll)"
To subkey: HKLM\SOFTWARE\Classes\CLSID\<Random CLSID>\InprocServer32
Adds value: "(default)"
With data: "<Random CLSID>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\<Malware file name>
Adds value: "FaultCount"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
where <Malware file name> is the name of the library file that Afcore.CE drops.
Payload
Backdoor Functionalities
Backdoor:Win32/Afcore.CE connects to a remote server to retrieve commands that it executes on the system. Some of the actions that can be done based on commands from a remote user are the following:
- Retrieve usernames and passwords
- Download and execute arbitrary files
Analysis by Elda Dimakiling
Prevention
