Report of Coreflood.dr Infection

Published: 2008-06-25
Last Updated: 2008-06-25 03:02:45 UTC
by Deborah Hale (Version: 1)
3 comment(s)

We have had a report tonight of an outbreak of an old friend - a blast from the past.  It appears that this particular outbreak has impacted/infected about 600 machines in a roughly 3000 pc network.  Rick, our reader reporting this, said that they have not been able to determine the exact infection entry point yet but they suspect it is according to Rick:

"Current theory is iframe in web page browsed by an 'IU' (Idiot User). "

I like that line, don't you.  Anyway, he said that they have discovered that this infection has resulted in a bunch of new user id's being created on the computers.  When I asked him if they had discovered the mechanism used to spread to the machines, his reply was:


"My current theory is that the patient 0 system's user was set for sub-domain admin privs, and that allowed it to connect to the C$ share on other systems to infect those systems. Each time an infected system connected to a new system, a user profile was created on that new system. Eventually, all of those infected systems connecting to other systems gave the result of many (30+) user profiles on other systems."

He said that McAfee is reporting "buffer overflow" in a pop-up message on some of the systems and Norton is reporting it as Coreflood.dr.

Rick is hoping some of our readers may have dealt with this bad boy in the past and can provide us with a little insight into what they are seeing.  Please let us know if you have any tips for Rick and his team.

Keywords: Trojan Infection
3 comment(s)


I'm assuming the blame is being wrongfully directed here...unless the "IU" moniker was referring to "user" in the IT group and not an end-user. If the user was a IU, ID10T, luser, or whatever terminology chosen, why did they have sub domain admin rights and why were they browsing under their login with elevated privs? Why did the machine lack effective AV software? Why did the machine not have IE patched per MS03-032? This is a nearly 5 year old pice of malware.

Lessons learned anyone? Policy and Procedure reviews are certainly necessary here. Implement AV, preferably a managed solution with reporting and alerts. Implement patch management, I'm assuming a Windows environment here due to the nature of Coreflood.dr and a 600+ system infection, so WSUS and/or SMS are strongly recommended. Since this is obviously a domain environment, group policy to enforce systems lockdowns is advisable. Some systems auditing would be good, especially using an automated reporting tool - Hyena comes to mind in the lower cost arena for Windows admins. While auditing, review who has admin rights, not only at the domain level, but at the local machine level.
I think the demand for admin rights probably correlates to user expertise as an inverted bell curve. I eschew admin rights on my business laptop because I've been educated to value that layer of protection. But there are also people I work with who demand admin rights and don't care about the risk.
Our company also was hit with this new variant of coreflood - we submitted samples to McAfee on Monday and received an extra.dat within an hour. It's important to note that in a larger environment, the profile creation can become a problem very quickly - we had machines with over 1500 profiles. This thing uses PSEXEC (%WINDIR%\psexesvc.exe)to drop the infector (%WINDIR%\system32\wmedia106.exe), which then proceeds to infect other machines. For those without AV coverage, a workaround exists: stop the PSEXEC service and set it to Disabled, then delete %WINDIR%\system32\wmedia106.exe. This will prevent the service from downloading the actual virus and keep it from spreading.

Diary Archives