BackDoor.PlugX.77

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Application Verifier' = '%APPDATA%\ApplicationVerifier\ApplicationVerifier.cpl'

Malicious functions

Injects code into

the following user processes:

iexplore.exe

Modifies file system

Creates the following files

%APPDATA%\applicationverifier\applicationverifier.cpl
%APPDATA%\vftphnuckatx
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\1oneaz08\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\uonvryjj\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cdp0o06i\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\52j0br4q\desktop.ini
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\1oneaz08\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\uonvryjj\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cdp0o06i\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\52j0br4q\desktop.ini

Deletes the following files

%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\topgradrepeat.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\topgradrepeat.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\topgradrepeat.jpg

Network activity

UDP

DNS ASK im#.##crotoo.info
DNS ASK U4############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Sy############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK hQ############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK mT############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Uo############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Va############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK pE############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK oV############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK sn#bHm/L85G5fpELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK p/XdHvosdj65fpELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Nb############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK t4############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Cl############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK y5############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK 4j############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK qc############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK TN############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Bw############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK vR############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK 93############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK sx############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK 7h############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK 7n############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK 3o############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK FJ############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Ch############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK GE############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK oe############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK 4T############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK yM############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK s3############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK R9############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK u8############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Lc############ELQtQwaOnIHQ5v0jKm.img.microtoo.info
DNS ASK Pb############ELQtQwaOnIHQ5v0jKm.img.microtoo.info

Miscellaneous

Executes the following

'%ProgramFiles(x86)%\internet explorer\iexplore.exe'
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial