ViRobot

Security Info

  • Security Center
    • HAURI Security Report
  • Security Dictionary
  • Security Service
  • Free Download!!

HAURI Security Column

Security Column

  Title File Date  
The danger of personal information leaks -- 05/16/11

Written by HAURI Virus Lab.

For the purpose of financial gain, the personal information leaks cases by utilizing computer virus continue. Recently, this kind of issue happened in the US, so the US government proactively respond against this malicious attack by impounding the related C&C server and blocking the domains.

The used malicious code is Coreflood/AFcore botnet, and according to analysis, it downloads other malicious codes also creates additional malicious codes. The created malicious codes act by injecting to running process. Moreover, it creates/modifies the registry key so that the malicious code can be activated automatically on system boot.

The malicious code contains IRC commands like [PIC 1], [PIC 2], and saves user keyboard input datas into a certain file with encryption. Then, it connects to the Botnet and does other malicious acts by following attacker's command.


[PIC 1] Some part of code in the malicious code


[PIC 2] Some part of IRC command in the malicious code

For preventing PC from this kind of virus infection, user must update security patch for using OS regularly, and maintain the latest engine version for Anti-Virus programs all the time.




- What is the C&C server?: It is a server that manage the command/control for the zombie PC which is infected by malicious bot.

[ViRobot Detection Name]
Backdoor.Win32.Coreflood.102400
Backdoor.Win32.Coreflood.123392
Backdoor.Win32.Coreflood.134356
Backdoor.Win32.Coreflood.168960
Backdoor.Win32.Coreflood.176640
Backdoor.Win32.Coreflood.182272
Backdoor.Win32.Coreflood.26624
Backdoor.Win32.Coreflood.48128
Backdoor.Win32.Coreflood.72192
Backdoor.Win32.Coreflood.81920

List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap