Backdoor:Win32/Afcore.gen!E is a generic detection for a family of backdoor trojans that connects to a remote server to retrieve commands that it executes on the system. It usually arrives with a dropper component that modifies the system so that the dropped backdoor is injected into a legitimate Windows process such as "Explorer.exe".
Installation
Upon execution, Backdoor:Win32/Afcore.gen!E drops the following files:
%TEMP%\<random string 1>.dll - detected as Backdoor:Win32/Afcore.gen!E
<system folder>\<random string 2>.dil or <random string 2>.ocx - detected as Backdoor:Win32/Afcore.gen!E
<system folder>\<random string 3>.dat - data file
<system folder>\<random string 4>.dat - data file
<system folder>\<random string 5>.dat - data file
<system folder>\<random string 6>.dat - data file
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
For example:
%TEMP%\ekpg.dll - Backdoor:Win32/Afcore.gen!B
<system folder>\msvcpd0.ocx - Backdoor:Win32/Afcore.gen!B
<system folder>\msvcpd0.dat - data file
<system folder>\mstatki.dat - data file
<system folder>\colbacya.dat - data file
The registry is modified to run the component dropped into the Windows system folder every time Windows starts.
Adds value: "(default)"
With data: "<random string 1 with no extension>"
To subkey: HKLM\Software\Classes\CLSID\{<random UUID>}
Adds value: "(default)"
With data: "<system folder>\<random string 1>.ocx" or "<system folder>\<random string 1>.dil"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{<random UUID>}\InprocServer32
Adds value: "(default)"
With data: "{<random UUID>}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\<random string 1 without extension>
For example:
Adds value: "(default)"
With data: "msvcpd0"
To subkey: HKLM\Software\Classes\CLSID\{D60336E9-3D5D-7074-C027-9C41742CEBE7}
Adds value: "(default)"
With data: "<system folder>\msvcpd0.ocx"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{D60336E9-3D5D-7074-C027-9C41742CEBE7}\InprocServer32
Adds value: "(default)"
With data: "{d60336e9-3d5d-7074-c027-9c41742cebe7}"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\msvcpd0
Backdoor:Win32/Afcore.gen!E restarts 'Explorer.exe' so that the malicious DLL file is loaded into its memory space.
Payload
Allows backdoor access and control
Backdoor:Win32/Afcore.gen!E opens a TCP port and waits for commands from a remote attacker. An attacker could send commands to capture passwords and/or attack other computers.
Analysis by Patrick Nolan
