Classification

Category :

Malware

Type :

Backdoor

Aliases :

Afcore.q, TrojanDropper.Win32.Emaner, Backdoor.Afcore.q

Summary

This backdoor and its dropper incorporate the novel feature of using a particular mode of storing data, provided by the NTFS file system.

The backdoor itself allows remote usage of the infected machine.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The backdoor provides its own removal mechanism which, however, seems to leave some files on the system. But it will remove the Registry Key, so it won't run next time Windows restarts.

If a Windows 2000, NT or XP system is already infected, removing the DLL is not trivial, given that it's located on a stream (if the system is using NTFS as its underlying filesystem).

F-Secure Anti-Virus will detect the backdoor when the file/stream is accessed, but might not be able to delete it if it's in use.

A workaround is to temporary set the option of automatic removal, instead of prompting the user for confirmation, and then rebooting the system.

In this way, after restarting the stream containing the backdoor should be detected when an attempt to access it is made and therefore removed.

The main executable has been packed with unmodified UPX and its packed length is 58368 bytes, once unpacked it grows to 118272.

System installation

The first component to be executed in an system will be the Emaner dropper, which making use of almost identical functionality as found later in the main backdoor code, will drop a second component into the user's system, and proceed then to run it. This will be achieved calling the LoadLibrary function from the Windows' Kernel32.DLL.

The dropped component will be stored in a stream in the default Windows temporary folder if the file system of the computer is NTFS (this is the default one in Windows NT,2000 and XP), and in the same folder but as a normal file, if the filesystem does not allow streams, i.e. VFAT.

The file/stream name is randomly generated, and it will always consist of lowercase characters from the range [a-z]. The filename is built from dividing a randomly chosen number and using the remainder of subsequent divisions to obtain the characters used in the filename. The random number is divided over 26 and to the remainder the ordinal of the 'a' character is added, therefore obtaining the range of characters previously given.

Once the file is copied, the dropper will exit if it has been able to execute the dropped backdoor.

The backdoor component.

This component is a DLL, and it has to be run as such. The DLL size is 113152 bytes. The backdoor has an extensive number of features which allow the attacker to gain a high degree of control over the infected machine.

When the backdoor is run, it will add an entry in the Windows Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

[random name] = rundll32 [path to DLL],[options]

All the values [random name], [path to DLL] and [options] depend on several factors. Although [random name] will match the basename without extension of the file pointed by [path to DLL], which will consist of lowercase characters on the range [a-f].

The DLL has the following entry points:

DebugBreakpoint
DebugInit
Init
InitService
SpawnedInit
Uninstall
 

Which lead to different behaviors. Running the following command:

Rundll32 [path to the DLL],[any of the above entry points and its options]

will load the DLL and execute the according code.

The backdoor contains the following text:

(The text has been reformatted for better appearance on our Web)

************************************************************If you read this,
then this program was probably stolen from our laboratory.
Author of this
software is not responsible for any harm that may be caused by incompetent or
malicious persons who use this software possibly running on your machine.
Therefore, please remove this software as soon as possible. Click the "Start"
menu, select "Run", enter there: rundll32 [path to this DLL],Uninstall and
click "OK" ************************************************************

Which provides with real information regarding the removal of the backdoor.

More information on removal can be found from the Disinfection section.