Registry key to add to protect against Coreflood botnet


Coreflood itself has a unique method of startup - it uses the registry key Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

This key is not well-known as a startup method and not always checked by anti-malware scanners. However, when Windows Explorer or Internet Explorer is started, this key is checked and any listed DLL (referenced by GUID) will be loaded into the process and initialized. For malware, this is similar to using a browser helper object (BHO) but without using the well-known BHO registry keys

Interesting. Thanks for posting it. (CNY)


I added *\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers* to My protected registry keys :-TU

The key is covered by Autoruns.

Strange ??? Automatic Startup on my configuration didn’t have it

I mean Autoruns by Sysinternals, not CFP.

You’re welcome :).