New Coreflood-based Spam Trojan on the loose - Using ADS Again...

Brian Eckman eckman at
Mon Dec 15 22:38:09 GMT 2003

I just sent in the newest version of the Coreflood Spam Trojans to 
Symantec for processing. Those of you who don't use Symantec would be 
wise to send in the following to your AV company of choice for immediate 

(remove the "1" from the above URL. It is there for liability reasons.)

(NOTE: I am not associated with that Web site. Use all of this 
information at your own risk. That is at least one "official" 
distribution point of this proxy trojan. Coreflood-based proxy trojans 
have a good history of being abused as spam proxies. That Web site has 
distributed previous Coreflood trojans as well. If anyone beats me to 
trying to get that site taken off of the Web, please feel free to do so. 
I am doing other very important work right now.)

Running that EXE (linked to above) will infect the Windows computer with 
a variant of Coreflood that infects the computer by injecting itself 
into an Alternate Data Stream of the System32 directory (this is not the 
first Coreflood variant to do so). It then puts itself in startup in the 
registry. If you delete that key, it puts itself back immediately. With 
the last ADS variant I messed with, I deleted it from the registry and 
pulled the power cable to the computer instantly afterward, and that 
still did not remove it from the registry.

Removal ideas
(copied and pasted from an e-mail I sent to someone months ago)

The quick way to resolve it that I learned about after dealing with one 
myself is to unregister the DLL. You'll have to change the name of the 
DLL to match that of your infection, but try this from a command prompt:
rundll32 c:\winnt\system32:acbdhpd.dll,Uninstall

Then, delete it from starting in the registry, and it shouldn't be able 
to put itself back because the Uninstall above should remove it from memory.

Another quick way is to go to C:\WINNT\SYSTEM32\RUNDLL32.EXE, right 
click on it, go into properties. Click the Security tab, and take away 
everyone's rights to Execute it. Reboot, and the spam trojan should not 
be able to load. Then delete the registry entry, and you can set 
RUNDLL32.EXE back to being executable again.

A more dangerous way that I first used before hearing about the first 
two was to make a copy of rundll32.exe and rename it temporarily, then 
delete rundll32.exe in all three locations it is in (C:\WINNT\System32\, 
C:\WINNT\ServicePackFiles\i386\ and C:\WINNT\System32\dllcache\). 
Alternately I believe you can turn off System File Protection and just 
rename rundll32.exe in System32 directory, but I don't recall offhand 
how to turn off System File Protection.

One way to discover it is that infected machines send a POST to (potentially other IP addresses are used). An example POST 
would begin with:

POST /cgi-bin/ref.cgi?

The next bytes immediately after the "?" for today are: 
Mon%20Dec%2015%20   (.... continuting with other info, such as the port 
the SOCKS and HTTP proxies are listening on. Change the date to 
Tue%20Dec%2016%20 for tomorrow, etc.)

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list