Win32/Corkow [Threat Name] go to Threat

Win32/Corkow.AE [Threat Variant Name]

Category trojan
Size 180224 B
Aliases VirTool:Win32/Obfuscator.WT (Microsoft)
Short description

Win32/Corkow.AE installs a backdoor that can be controlled remotely.


The trojan does not create any copies of itself.

The trojan searches for files with the following file extensions:

  • .dll

Only following folders are searched:

  • %system%

It avoids files with the following filenames:

  • AltTab.dll
  • apphelp.dll
  • appidapi.dll
  • bcryptprimitives.dll
  • certmgr.dll
  • cryptprimitives.dll
  • dssenh.dll
  • fveapibase.dll
  • fvewiz.dll
  • mqcertui.dll
  • mqoa.dll
  • mqsnap.dll
  • mqtrig.dll
  • pautoenr.dll
  • RpcRtRemote.dll
  • rsaenh.dll
  • spwizeng.dll
  • userenv.dll
  • uxlib.dll

When the trojan finds a file matching the search criteria, it creates its duplicate.

The file is saved to one of the following folders:

  • %commonprogramfiles%\­SpeechEngines\­Microsoft\­SP2%random%\­
  • %appdata%\­DAO%random%\­
  • %appdata%\­Microsoft Corporation\­

The following filename is used:

  • %variable1%.%variable2%

A string with variable content is used instead of %variable1-2% .

The trojan modifies the following file:

  • %variable1%.%variable2%

The modified file contains the original program code along with the program code of the infiltration.

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­LanmanServer\­Parameters]
    • "ServiceDll" = "%commonprogramfiles%\­SpeechEngines\­Microsoft\­SP2%random%\­%variable1%.%variable2%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­LanmanServer]
    • "Start" = 2
    • "ObjectName" = "LocalSystem"
  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{35CEC8A3-2BE6-11D2-8773-92E220524153}]
    • "InprocServer32" = "%appdata%\­DAO%random%\­%variable1%.%variable2%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "NvCplWow64" = "%systemroot%\­SysWOW64\­Rundll32.exe "%appdata%\­Microsoft Corporation\­%variable1%.%variable2%",Control_RunDll"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "NvCplWow64" = "%systemroot%\­System32\­Rundll32.exe "%appdata%\­Microsoft Corporation\­%variable1%.%variable2%",Control_RunDll"

This way the trojan ensures that the file is executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version
  • language settings
  • information about the operating system and system settings
  • user name
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan serves as a backdoor. It can be controlled remotely.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (9) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete files
  • shut down/restart the computer
  • send gathered information
  • uninstall itself

The trojan checks for Internet connectivity by trying to connect to the following servers:


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Classes\­WbemScripting.SWbemLastError\­CurVer\­%variable%]
  • [HKEY_CLASSES_ROOT\­WbemScripting.SWbemLastError\­CurVer\­%variable%]

A string with variable content is used instead of %variable% .

The trojan can also overwrite the entire contents of the drives with its own data.

The trojan may cause the operating system to crash.

It exploits the CVE-2013-3660 vulnerability.

Please enable Javascript to ensure correct displaying of this content and refresh this page.