Home / malware Backdoor:Win32/Afcore.BB
First posted on 10 June 2016.
Source: MicrosoftAliases :
There are no other names known for Backdoor:Win32/Afcore.BB.
Explanation :
Installation
Backdoor:Win32/Afcore.BB is installed by Backdoor:Win32/Afcore. When the installer trojan is run, it drops the following files:It modifies the following registry entries so that the DLL in the %TEMP% folder runs each time you start your PC: In subkey: HKLM\Software\Classes\CLSID\{
- %TEMP% \
.dll - Backdoor:Win32/Afcore.BB \ .dll - Backdoor:Win32/Afcore.BB \ .dat - data file \ .dat - data file \ .dat - data file }
Sets value: "(default)"
With data:In subkey: HKLM\SOFTWARE\Classes\CLSID\{ }\InprocServer32
Sets value: "(default)"
With data: "\ .dll" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\
Sets value: "(default)"
With data: "{}" After installing Backdoor:Win32/Afcore.BB, Backdoor:Win32/Afcore deletes itself by running instructions within a command shell (cmd.exe). The DLL is then injected into Explorer.exe to hide itself and bypass firewalls.
Payload
Allows remote access and control
Win32/Afcore.BB opens a TCP port and awaits commands from a hacker. A hacker can tell the trojan to capture passwords and attack other computers.
Analysis by Andrei Florin SaygoLast update 10 June 2016
