Details
Backdoor.Afcore.q
Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give ‘evildoers’ almost full control of victim computers.
Infected message body text contains the following:
If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the “Start” menu, select “Run”, enter there: rundll32 ,Uninstall and click “OK”
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.
The backdoor registers itself into the system registry auto run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.
The backdoor program has several options that it can use:
DebugBreakpoint
DebugInit
Init
InitService
SpawnedInit
Uninstall

To remotely uninstall itself from victim machines the backdoor uses the following command:
rundll32 ÄÉÓË:\%windir%\system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.

Related Posts

This entry was posted on Saturday, July 8th, 2006 at 10:00 am and is filed under Virus Threats.