Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Afcore.q


Aliases:


Afcore.q
TrojanDropper.Win32.Emaner, Backdoor.Afcore.q

Malware
Backdoor
W32

Summary

This backdoor and its dropper incorporate the novel feature of using a particular mode of storing data, provided by the NTFS file system.

The backdoor itself allows remote usage of the infected machine.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The backdoor provides its own removal mechanism which, however, seems to leave some files on the system. But it will remove the Registry Key, so it won't run next time Windows restarts.

If a Windows 2000, NT or XP system is already infected, removing the DLL is not trivial, given that it's located on a stream (if the system is using NTFS as its underlying filesystem).

F-Secure Anti-Virus will detect the backdoor when the file/stream is accessed, but might not be able to delete it if it's in use.

A workaround is to temporary set the option of automatic removal, instead of prompting the user for confirmation, and then rebooting the system.

In this way, after restarting the stream containing the backdoor should be detected when an attempt to access it is made and therefore removed.

The main executable has been packed with unmodified UPX and its packed length is 58368 bytes, once unpacked it grows to 118272.


System installation

The first component to be executed in an system will be the Emaner dropper, which making use of almost identical functionality as found later in the main backdoor code, will drop a second component into the user's system, and proceed then to run it. This will be achieved calling the LoadLibrary function from the Windows' Kernel32.DLL.

The dropped component will be stored in a stream in the default Windows temporary folder if the file system of the computer is NTFS (this is the default one in Windows NT,2000 and XP), and in the same folder but as a normal file, if the filesystem does not allow streams, i.e. VFAT.

The file/stream name is randomly generated, and it will always consist of lowercase characters from the range [a-z]. The filename is built from dividing a randomly chosen number and using the remainder of subsequent divisions to obtain the characters used in the filename. The random number is divided over 26 and to the remainder the ordinal of the 'a' character is added, therefore obtaining the range of characters previously given.

Once the file is copied, the dropper will exit if it has been able to execute the dropped backdoor.


The backdoor component.

This component is a DLL, and it has to be run as such. The DLL size is 113152 bytes. The backdoor has an extensive number of features which allow the attacker to gain a high degree of control over the infected machine.

When the backdoor is run, it will add an entry in the Windows Registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

[random name] = rundll32 [path to DLL],[options]

All the values [random name], [path to DLL] and [options] depend on several factors. Although [random name] will match the basename without extension of the file pointed by [path to DLL], which will consist of lowercase characters on the range [a-f].

The DLL has the following entry points:

DebugBreakpoint
 DebugInit
 Init
 InitService
 SpawnedInit
 Uninstall
 

Which lead to different behaviors. Running the following command:

Rundll32 [path to the DLL],[any of the above entry points and its options]

will load the DLL and execute the according code.

The backdoor contains the following text:

(The text has been reformatted for better appearance on our Web)

************************************************************If you read this,
 then this program was probably stolen from our laboratory.  Author of this
 software is not responsible for any harm that may be caused by incompetent or
 malicious persons who use this software possibly running on your machine.
 Therefore, please remove this software as soon as possible. Click the "Start"
 menu, select "Run", enter there: rundll32 [path to this DLL],Uninstall and
 click "OK" ************************************************************
 
 

Which provides with real information regarding the removal of the backdoor.

More information on removal can be found from the Disinfection section.



Detection



Detection Type: PC
Database: 2003-10-01_01



Technical Details: Ero Carrera, 2nd of October, 2003



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files