Win32/Corkow [Threat Name] go to Threat

Win32/Corkow.A [Threat Variant Name]

Category trojan
Size 115200 B
Detection created Oct 13, 2011
Detection database version 6540
Aliases Trojan.Win32.Yakes.goc (Kaspersky)
Short description

Win32/Corkow.A installs a backdoor that can be controlled remotely. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


The trojan searches for files with the following file extensions:

  • .dll

Only following folders are searched:

  • %system%

It avoids files with the following filenames:

  • AltTab.dll
  • apphelp.dll
  • appidapi.dll
  • bcryptprimitives.dl
  • cryptprimitives.dll
  • dssenh.dll
  • fveapibase.dll
  • fvewiz.dll
  • mqcertui.dll
  • mqoa.dll
  • mqsnap.dll
  • mqtrig.dll
  • pautoenr.dll
  • RpcRtRemote.dll
  • rsaenh.dll
  • spwizeng.dll
  • userenv.dll
  • uxlib.dll

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file is saved to one of the following folders:

  • %commonprogramfiles%\­microsoft shared\­
  • %appdata%\­Microsoft Corporation\­

The following filename is used:

  • %variable1%.%variable2%

A string with variable content is used instead of %variable1-2% .


The trojan modifies the following file:

  • %variable1%.%variable2%

The modified file contains the original program code along with the program code of the infiltration.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­lanmanserver\­parameters]
    • "ServiceDll" = "%commonprogramfiles%\­microsoft shared\­%variable1%.%variable2%"
  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{35CEC8A3-2BE6-11D2-8773-92E220524153}\­InprocServer32]
    • "Default" = "%appdata%\­Microsoft Corporation\­%variable1%.%variable2%"

This way the trojan ensures that the file is executed on every system start.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (8) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete files
  • shut down/restart the computer
  • collect information about the operating system used
  • send gathered information

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Classes\­WbemScripting.SWbemLastError\­CurVer\­62e63ed]
  • [HKEY_CLASSES_ROOT\­Software\­Classes\­WbemScripting.SWbemLastError\­CurVer\­62e63ed]

Please enable Javascript to ensure correct displaying of this content and refresh this page.