Win32/Plorxos [Threat Name] go to Threat

Win32/Plorxos.A [Threat Variant Name]

Category trojan
Size 273920 B
Short description

Win32/Plorxos.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself. The trojan creates the following files:

  • %temp%\­TMP%variable1%.tmp (610 B)
  • %temp%\­TMP%variable2%.tmp (98304 B)

A string with variable content is used instead of %variable1-2% .


The trojan launches the following processes:

  • %temp%\­TMP%variable2%.tmp

The trojan can modify the following files:

  • %currentfolder%\­..\­Logs\­MDaemon-?*-all.log
  • %currentfolder%\­..\­Logs\­MDaemon-?*-SMTP-(in).log
  • %currentfolder%\­..\­Logs\­MDaemon-?*-SMTP-(out).log
  • %currentfolder%\­..\­Logs\­MDaemon-?*-Routing.log
  • %currentfolder%\­..\­Logs\­MDaemon-?*-POP3.log
  • %currentfolder%\­..\­Logs\­MDaemon-?*-Content-Filter.log
  • %currentfolder%\­..\­Logs\­MDaemon-?*-RAW.log

"..\" denotes the folder one level higher in the file system tree.

Information stealing

Win32/Plorxos.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • e-mail accounts data

The following programs are affected:

  • MDaemon

The trojan searches for files with the following file extensions:

  • .msg

Only following folders are searched:

  • %currentfolder%\­..\­Users\­BUMAR.COM\­BUMAR\­

The trojan attempts to send the found files to a remote machine.


The trojan sends the information via e-mail. The trojan contains a list of (1) addresses.


The trojan then removes itself from the computer.


Other information

The trojan executes the following commands:

  • ping STEP1_%variable1%.twodns.tk
  • ping STEP2_%variable2%.twodns.tk
  • ping STEP3_%variable3%.twodns.tk
  • ping STEP4_%variable4%.twodns.tk
  • ping STEP5_%variable5%.twodns.tk
  • ping STEP6_%variable6%.twodns.tk
  • ping STEP7_%variable7%.twodns.tk
  • ping STEP8_%variable8%.twodns.tk
  • ping STEP9_%variable9%.twodns.tk
  • ping STEP10_%variable10%.twodns.tk
  • ping STEP11_%variable11%.twodns.tk
  • ping STEP12_%variable12%.twodns.tk
  • ping STEP13_%variable13%.twodns.tk

The following files are deleted:

  • %currentfolder%\­..\­App\­wsock32.dll
  • %currentfolder%\­..\­SpamAssassin\­secur32.dll
  • %currentfolder%\­..\­SpamAssassin\­sspicli.dll
  • %currentfolder%\­..\­SpamAssassin\­ws2_32.dll
  • %temp%\­TMP%variable14%.tmp
  • %temp%\­TMP%variable15%.tmp

A string with variable content is used instead of %variable1-15% .


The trojan needs following files to run:

  • %currentfolder%\­..\­App\­MDUSER.DLL

Please enable Javascript to ensure correct displaying of this content and refresh this page.