PE_Corelink.C-O is a file infector that may be dropped by PE_CORELINK.C.

It drops a file which is detected by Trend Micro as TROJ_AGENT.THK. It injects threads into the legitimate EXPLORER.EXE process to prevent its easy detection.

It infects by appending its code to target host files, while compressing the target host files at the same time. It infects .EXE files. It does not infect .EXE files in specified folders.


This file infector propagates via network shares. It uses a list of user names and passwords to drop copies of itself in password-protected shares.

It downloads files. As a result, the routines of the downloaded files are observed on the affected system.

It terminates certain processes, if found running in memory.

Technical details can be found at this Trend Micro page.