high
Summary
Summary
Action- More Information
| Protection available since | 21 October 2003 15:44:48 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Please read the Troj/CoreFloo-C disinfection instructions.
More Information
Troj/CoreFloo-C is a backdoor Trojan which allows a remote intruder to access and control the computer via IRC channels.
The Trojan arrives as an installation executable with a random filename consisting of 7 characters a-z and an extension of EXE.
When the installation executable is run on Windows 95, 98 or ME (or FAT drives) it drops a DLL to the Windows System folder with a filename consisting of 7 random characters a-z and an extension of DLL.
When the installation executable is run on a Windows NT, 2000 or XP system with an NTFS drive it drops the DLL as an ADS file associated with the Windows System folder (typically <WINDOWS>\System32). The new ADS file will also have a random 7-character name with an extension of DLL.
The installation executable then launches the DLL component which adds its pathname to the following registry entry, so that it is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
\<random filename> = rundll32 %SYSTEM% <random filename>.dll,Init 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\<random filename> = rundll32 %SYSTEM% <random filename>,Init 1
The DLL component injects itself into the EXPLORER process making it invisible in the Task Manager process list.
Troj/CoreFloo-C also has anti-delete functionality which attempts to prevent viral processes from being terminated and resets the above registry entries if they are removed.
|
