Backdoor.Coreflood!1

Printer Friendly Page

Discovered: May 20, 2003
Updated: May 21, 2003 12:01:36 AM
Systems Affected: Windows

Backdoor.Coreflood is a remote access program installed by JS.Cisp that is also capable of DDoS functions.

Discovered: May 20, 2003
Updated: May 21, 2003 12:01:36 AM
Systems Affected: Windows

Backdoor.Coreflood is a remote access program installed by JS.Cisp that is also capable of DDoS functions.

The program is downloaded via the JS.Cisp (MCID 1487) program, and executed on the compromised host.

When executed, the program creates a copy of itself as %SysDir%\X.DLL, where X represents a string of seven random characters. The dynamically linked library is executed by the Backdoor.Coreflood program, which injects the code of the library into the EXPLORER.EXE memory space.

The program then attempts to download an additional component which also drops a .dll, both of which are extracted to %Sysdir% and use a random, seven character name for the .exe and .dll file names.

After the files are placed in %Sysdir%, the following value is added to registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run:

"X" = %SysDir%\X.EXE

where X represents the random name given to the second executable.

The .dll extracted as part of the second download is also loaded into the EXPLORER.EXE memory space. Once this .dll is loaded, the program downloads a configuration file remotely via HTTP. This configuration file contains additional information on backdoor and other functionality of the program.