{
	"id": "e9b9f032-2bc3-4987-a8b6-e1bcee5ab0fd",
	"created_at": "2026-04-06T00:15:00.256947Z",
	"updated_at": "2026-04-10T03:24:29.405306Z",
	"deleted_at": null,
	"sha1_hash": "2fe4739d106d9b7041fa41c5df76ed61fe8a5019",
	"title": "Trojan.Koredos Comes with an Unwelcomed Surprise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47842,
	"plain_text": "Trojan.Koredos Comes with an Unwelcomed Surprise\r\nArchived: 2026-04-05 13:25:29 UTC\r\nRecent Distributed Denial of Service (DDoS) attacks on a number South Korean websites have been in news for\r\nthe past week. The threat responsible for carrying out these attacks is Trojan.Koredos.\r\nThis attack is reminiscent of another attack, launched on July 4th, 2009 against the U.S. and South Korean\r\ngovernments, as well as financial and media websites. For now, the attack has subsided and the affected sites can\r\nbe accessed without any issues. However, the computers have not been cleaned for the Trojan.Koredos infection\r\nwill be greeted with a surprise well after the initial infection, which we will detail in this blog.\r\nAttacks such as this usually involve a command and control (C\u0026C) server that sends commands to the\r\ncompromised computers, resulting in systematic and coordinated attacks. In this case, the commands do not come\r\nfrom a C\u0026C—they are hidden inside the threat.\r\nThere are many components involved in the attack, and that alone indicates some level of sophistication. Of those\r\nfiles, the destructive behavior is carried out by the s[RANDOM LETTERS]svc.dll file. While we have seen\r\nseveral variants of this .dll, the end result is the same—the master boot record (MBR) of the compromised\r\ncomputer is destroyed.\r\nSome variants scan the fixed drives of compromised computers for files with various extensions, which are used\r\nby software predominantly used in Korea (i.e. .alz, .gul, and .hwp). This strongly suggests the threat targets\r\ncomputers located in Korea.\r\nFigure 1 –  Heatmap showing Trojan.Koredos infections.\r\nFigure 2 – The threat searching for file extensions.\r\nThe threat overwrites the files with all zeros. Additionally, if the file size is larger than or equal to 10,485,760\r\nbytes, the threat simply deletes the files. If a file does not meet the previous condition, the threat creates a .cab file\r\nusing the original file name, and deletes the original file. In other cases deleted files can be restored using various\r\nmethods, but since the threat overwrites the files with zeros, the original file cannot be restored.\r\nThe threat destroys the MBR of all drives if one of the following conditions is met:\r\nThe %System%\\noise03.dat file is missing. The noise3.dat file is a part of Trojan.Koredos that contains a\r\nnumber 7 within it. This is the number of days the destruction functionality gets triggered. One interesting\r\npart is that the number can be overwritten, though the threat can only distinguish up to 10. (Any number\r\nover 10 will be interpreted as 7.) This means the maximum life of the compromised computer is 10 days.\r\nFigure 3 – Creating the noise03.dat file with the date and time of infection and days to attack.\r\nhttps://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise\r\nPage 1 of 2\n\nA %System%\\dnsec.dat file exists, and its first four bytes are all zero. The dnsec.dat file is also a\r\ncomponent of W32.Koredos that works with other threat components.\r\nFigure 4 – Overwriting files with zeros and checking that the file size is greater than 10,485,760 bytes.\r\n \r\nThe current date and time is later than 7 days, or equal to the number in %SYSTEM%\\noise03.dat at the\r\ntime of first infection.\r\nThe current date and time is equal to or longer than 7 to 10 days after first infection. As explained\r\npreviously, the number can manually overwritten in the %System%\\noise03.dat file, but the operating\r\nsystem will be destroyed.\r\nFigure 5 – Checking that 7 to 10 days have passed.\r\nIn short, the infected computers can live up to 10 days if they are not cleaned. Symantec provides protection\r\nagainst the threat. Please make sure you keep virus definitions up-to-date to keep your valuable data safe from the\r\ndestructive threat.\r\nThanks to Masaki Suenaga for his contributions to this blog.\r\nSource: https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise\r\nhttps://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise"
	],
	"report_names": [
		"trojankoredos-comes-unwelcomed-surprise"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434500,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fe4739d106d9b7041fa41c5df76ed61fe8a5019.pdf",
		"text": "https://archive.orkl.eu/2fe4739d106d9b7041fa41c5df76ed61fe8a5019.txt",
		"img": "https://archive.orkl.eu/2fe4739d106d9b7041fa41c5df76ed61fe8a5019.jpg"
	}
}