Win32/Corkow [Threat Name] go to Threat
Win32/Corkow.AE [Threat Variant Name]
| Category | trojan |
| Size | 180224 B |
| Aliases | VirTool:Win32/Obfuscator.WT (Microsoft) |
Short description
Win32/Corkow.AE installs a backdoor that can be controlled remotely.
Installation
The trojan does not create any copies of itself.
The trojan searches for files with the following file extensions:
- .dll
Only following folders are searched:
- %system%
It avoids files with the following filenames:
- AltTab.dll
- apphelp.dll
- appidapi.dll
- bcryptprimitives.dll
- certmgr.dll
- cryptprimitives.dll
- dssenh.dll
- fveapibase.dll
- fvewiz.dll
- mqcertui.dll
- mqoa.dll
- mqsnap.dll
- mqtrig.dll
- pautoenr.dll
- RpcRtRemote.dll
- rsaenh.dll
- spwizeng.dll
- userenv.dll
- uxlib.dll
When the trojan finds a file matching the search criteria, it creates its duplicate.
The file is saved to one of the following folders:
- %commonprogramfiles%\SpeechEngines\Microsoft\SP2%random%\
- %appdata%\DAO%random%\
- %appdata%\Microsoft Corporation\
The following filename is used:
- %variable1%.%variable2%
A string with variable content is used instead of %variable1-2% .
The trojan modifies the following file:
- %variable1%.%variable2%
The modified file contains the original program code along with the program code of the infiltration.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
- "ServiceDll" = "%commonprogramfiles%\SpeechEngines\Microsoft\SP2%random%\%variable1%.%variable2%"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer]
- "Start" = 2
- "ObjectName" = "LocalSystem"
- [HKEY_CURRENT_USER\Software\Classes\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}]
- "InprocServer32" = "%appdata%\DAO%random%\%variable1%.%variable2%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "NvCplWow64" = "%systemroot%\SysWOW64\Rundll32.exe "%appdata%\Microsoft Corporation\%variable1%.%variable2%",Control_RunDll"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "NvCplWow64" = "%systemroot%\System32\Rundll32.exe "%appdata%\Microsoft Corporation\%variable1%.%variable2%",Control_RunDll"
This way the trojan ensures that the file is executed on every system start.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- operating system version
- language settings
- information about the operating system and system settings
- user name
- volume serial number
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan serves as a backdoor. It can be controlled remotely.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (9) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- delete files
- shut down/restart the computer
- send gathered information
- uninstall itself
The trojan checks for Internet connectivity by trying to connect to the following servers:
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
- http://www.msftncsi.com/ncsi.txt
- http://crl.microsoft.com/pki/crl/products/WinPCA.crl
- http://stats.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
The trojan keeps various information in the following Registry keys:
- [HKEY_CURRENT_USER\Software\Classes\WbemScripting.SWbemLastError\CurVer\%variable%]
- [HKEY_CLASSES_ROOT\WbemScripting.SWbemLastError\CurVer\%variable%]
A string with variable content is used instead of %variable% .
The trojan can also overwrite the entire contents of the drives with its own data.
The trojan may cause the operating system to crash.
It exploits the CVE-2013-3660 vulnerability.