Today I was confronted with malware and here are my results:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\conime.exe\wcoredk.exe
netstat –aon -> showed the 18.104.22.168:32132 as destination
While it runs, wcoredk.exe ‘kills’ Sysinternals Tcpview/Nirsoft CurrPorts and Sysinternals Process Explorer. –> Finally, ANVIR helped me out!!!
Furthermore it disables ‘Show hidden files and folders’ shortly after it was set, and despite it had an PID it hasn’t an process name so it wasn’t listed under any task manager.
So looks like it is/was an Rootkit dressed Trojan/Mailer.
But the AV vendors are working onto it now:
1.) McAfee Labs
McAfee Labs – Beaverton
Current Scan Engine Version:5400.1158
Current DAT Version:5896.0000
Thank you for your submission.
Analysis ID: 5815572
File Name Findings Detection Type Extra
wcoredk.exe |new detection |spam-mailbot.u |Trojan |yes
AVERT has caught an issue with the EXTRA.DAT we generated for you. Your submission is
being forwarded to an AVERT Researcher for further analysis. In the meantime, it is
recommended that you update your DAT and engine files and scan your computer again.
You will be contacted through e-mail with the results of our analysis.
new detection [wcoredk.exe]
2.) Microsoft Security Essentials