Registry key to add to protect against Coreflood botnet

MrBrian · July 17, 2008, 11:36pm

From http://www.secureworks.com/research/threats/coreflood/?threat=coreflood:

Coreflood itself has a unique method of startup - it uses the registry key Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
This key is not well-known as a startup method and not always checked by anti-malware scanners. However, when Windows Explorer or Internet Explorer is started, this key is checked and any listed DLL (referenced by GUID) will be loaded into the process and initialized. For malware, this is similar to using a browser helper object (BHO) but without using the well-known BHO registry keys

aigle · July 18, 2008, 11:05am

Interesting. Thanks for posting it. (CNY)

gibran · July 18, 2008, 11:32am

Thanks,

I added *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers* to My protected registry keys :-TU

aigle · July 18, 2008, 12:42pm

The key is covered by Autoruns.

gibran · July 18, 2008, 1:09pm

Strange ??? Automatic Startup on my configuration didn’t have it

aigle · July 18, 2008, 2:21pm

I mean Autoruns by Sysinternals, not CFP.

MrBrian · July 19, 2008, 12:02am

You’re welcome :).