Threat behavior
Backdoor:Win32/Afcore.gen!B is a generic detection for a family of backdoor trojan that connects to a remote server to retrieve commands that it executes on the system. It usually arrives with a dropper component that modifies the system so that the dropped backdoor is injected into a legitimate Windows process.
Installation
Upon execution, Backdoor:Win32/Afcore.gen!B drops the following files:
%TEMP%\<random string 1>.dll - detected as Backdoor:Win32/Afcore.gen!B
<system folder>\<random string 2>.dil - also detected as Backdoor:Win32/Afcore.gen!B
<system folder>\<random string 3>.dat - data file
<system folder>\<random string 4>.dat - data file
<system folder>\<random string 5>.dat - data file
<system folder>\<random string 6>.dat - data file
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
For example:
%TEMP%\gnfl.dll - detected as Backdoor:Win32/Afcore.gen!B
<system folder>\iaspojcy.dil - also detected as Backdoor:Win32/Afcore.gen!B
<system folder>\iaspojcy.dat - data file
<system folder>\comrspl.dat - data file
<system folder>\kbdmlv47.dat - data file
It registers the dropped DLL file so that it runs every time Windows starts:
Adds value: "(default)"
With data: "<random string 1 with no extension>"
To subkey: HKLM\Software\Classes\CLSID\{<random UUID>}
Adds value: "(default)"
With data: "<system folder>\<random string 1>.dil"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{<random UUID>}\InprocServer32
Adds value: "(default)"
With data: "{<random UUID>}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\<random string 1 without extension>
For example:
Adds value: "(default)"
With data: "iaspojcy"
To subkey: HKLM\Software\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}
Adds value: "(default)"
With data: "<system folder>\iaspojcy.dil"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}\InprocServer32
Adds value: "(default)"
With data: "{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\iaspojcy
Backdoor:Win32/Afcore.gen!B restarts 'Explorer.exe' so that the malicious DLL file is loaded into its memory space.
Payload
Performs backdoor functionality
Backdoor:Win32/Afcore.gen!B opens a TCP port and waits for commands from a remote attacker. An attacker could send commands such as capture passwords and attack other computers.
Analysis by Jireh Sanico
Prevention
