cancel
Showing results for 
Search instead for 
Did you mean: 

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

I was forced to due a repair of Windows and re-install the operating system.

SamSwift
Level 12
Report Inappropriate Content
Message 12 of 17

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

Marking as 'assumed answered' due to age of thread. If you need any further assistance please don't hesitate to let us know.

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

Why don't you guys provide a solution for the problem?

SamSwift
Level 12
Report Inappropriate Content
Message 14 of 17

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

Hi,

Malware authors often create new variants of older malware to save them the effort of creating something completely new. If you are still having issues with a newer variant of this please can you give further details, and submit samples of files which are not being detected or are seeing clean failures. If your business is impacted at all by this threat I would strongly recommend contact technical support and logging a service request too.

Hope this helps,

Sam

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

what port does this flood?

Highlighted
dvo
Level 9
Report Inappropriate Content
Message 16 of 17

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

the coreflood!mem on explorer.exe seems to be happening because of DLL or DAT files that are hooked to explorer.exe on boot up and is causing detections.

I suggest getting with support to validate the root files causing the detections.

I've seen .dat files in system32 with current modified dates that are very suspicious and is in the process of working with mcafee labs in getting new definitions created.

These files is seen to hook into explorer.exe, and once mcafee detects as coreflood!mem, those files are then seen unhooked, until a reboot.

ag100
Level 7
Report Inappropriate Content
Message 17 of 17

Re: New Variant of coreflood!mem / coreflood.dll / coreflood.dr ?

Remove Coreflood using the perl script found here:  http://www.secureworks.com/research/threats/coreflood-removal/?threat=coreflood-removal


The instructions work well, and while the script is a bit old, the only thing that needs to be modified for it to work against recent variants is the POST path (last time I checked, /c/a should be changed to something like index.php.

Once that's up and running, point DNS for the current C2 domain to the server running the perl script and all infected clients should remove the infection upon check-in.

Although I've seen this used successfully, I strongly recommend testing in a lab before using in production.

Hope that helps,

-ag100

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community