BackDoor.PlugX.79

Technical Information

Malicious functions

Injects code into

the following system processes:

%WINDIR%\syswow64\svchost.exe

Modifies file system

Creates the following files

%APPDATA%\fyqhffrwuh
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\g2u8ky80\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\5d3ujpj9\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\k7q16gs4\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\5qlyh81l\desktop.ini
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\g2u8ky80\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\5d3ujpj9\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\k7q16gs4\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\5qlyh81l\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini

Deletes the following files

%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\topgradrepeat.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\topgradrepeat.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\topgradrepeat.jpg

Network activity

UDP

DNS ASK we####.FEERLOOIK.ORG
DNS ASK JK#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK ho#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK XJ#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK Cc#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK RL#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK hf#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK bC#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK Qp#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK lV#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK 9r#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK 3J#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK lk#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK YR#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK lG#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK jz#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK uo/wHrBoGtFHkI0Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK da#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK ZC#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK RY#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK BW#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK g9#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK w2#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK WZ#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK C+#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK Ya#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK wd#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK 76#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK M/LLHt0oAtRHkI0Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK Rn#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK ZT#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK G2##Hj2I/eFHkI0Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK r1#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG
DNS ASK IL#############Bnp6ePmrYfATLWzkf.wemail.FEERLOOIK.ORG

Miscellaneous

Executes the following

'%WINDIR%\syswow64\svchost.exe'
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\wininet.DLL",DispatchAPICall 1

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial