When first run, Troj/Mdrop-CDP creates a DLL file on disk with a random name made of lowercase letters and numbers, with a .dIl extension ("dee", uppercase "eye", lowercase "ell").
The DLL file that is created is detected as Troj/CoreFlood-N. The DLL is created in the system folder. On computers with an NTFS filesystem, this DLL may be created as an Alternate Data Stream (ADS), typically an ADS of the system folder (eg, C:\Windows\system32:msxmc4.dIl).
The following registry entries are created to ensure Troj/CoreFlood-N is loaded when Windows starts, and when Explorer is run:
HKCR\CLSID\<random CLSID>\InprocServer32
<System>\<random lowercase name>.dIl
HKCR\CLSID\<random CLSID as above>
<random lowercase name as above>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
<random lowercase name as above>
<random CLSID as above>
Troj/CoreFlood Trojans typically log keystrokes and attempt to steal passwords, including banking passwords. Additionally, Troj/CoreFlood Trojans typically act as backdoors, allowing a remote attacker access to the infected computer and control over it.
Randomly named .dat files with encrypted contents may be created in the same folder as the dropped DLL. These are harmless and can be deleted, but the default system folder often contains critical .dat files, so use caution.