Troj/CoreFloo-D

Please read the instructions for removing Troj/CoreFloo-D.

Troj/CoreFloo-D is a backdoor Trojan which allows a remote intruder to access and control the computer from a remote location.

The Trojan arrives as an executable with a random filename consisting of 7 characters A-Z with an EXE extension.

When the installation executable is run on Windows 95, 98 or ME it drops a DLL to the Windows System folder with a filename consisting of 7 random characters A-Z with a DLL extension.

When the installation executable is run on Windows NT, 2000 or XP it drops the DLL as an ADS stream associated with the Windows System folder (typically <WINDOWS>\System32). The new ADS stream will also have a random 7 character name with an extension of DLL.

The installation executable then launches the DLL component which adds its pathname to the following registry entry, so that it is run automatically each time Windows is started:

HKLMSoftware\Microsoft\Windows\CurrentVersion\RunOnce\
<random filename> = rundll32 %SYSTEM% <random filename>.dll,Init 1

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<random filename> = rundll32 %SYSTEM% <random filename>,Init 1

The DLL component injects itself into the EXPLORER process making it invisible in the Task Manager process list.

The DLL queries a hosts from a list in the Trojan body in order to receive parameters for further processing usinf HTTP POST request and a CGI script on the remote host. The HTTP response contains various parameters for the backdoor built into the DLL such as listening ports and other information.

Troj/CoreFloo-D also has anti-delete functionality which restarts viral processes that have been terminated and resets the above registry entries if they are removed.