Home / malware Backdoor.Korplug.C
First posted on 03 March 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Korplug.C.
Explanation :
This Trojan is known to be dropped by specially crafted RTF files that exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
When the Trojan is executed, it creates the following files:
%AllUsersProfile%\DRM\sock5proxy\SXLOC.DLL%AllUsersProfile%\DRM\sock5proxy\SX.EXE%AllUsersProfile%\DRM\sock5proxy\[RANDOM FILE NAME]
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\BINARY\"SXLOC.ZAP" = [BINARY DATA]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sock5proxy\"DisplayName" = "sock5proxy"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sock5proxy\"ImagePath" = "%AllUsersProfile%\DRM\sock5proxy\SX.EXE"
The Trojan creates, and then injects itself into the following processes:
%System%\svchost.exe%System%\msiexec.exe
Next, the Trojan may connect to one or more of the following domains and open a back door on the compromised computer:
abcdollar.mooo.comfreemoney.ignorelist.comsumy2012.jkub.comdheeraj_gaurav.mooo.com
The Trojan logs keystrokes on the compromised computer and saves the information to the following location:
%AllUsersProfile%\DRM\sock5proxy\[RANDOM FILE NAME]
The Trojan may then perform the following actions:
Enumerate available drivesFind, read, write, copy, rename, delete, or move filesCreate directoriesExpand environment stringsMap a network driveEnumerate network resourcesShut down and restart the compromised computerLock the compromised computerCreate, enumerate, and end processesEnumerate, create, copy, and delete registry keysEnumerate, set, delete, and get registry valuesTake screenshotsChange service configurationsStart and delete servicesCreate remote shellsGet SQL data sourcesGet SQL driver informationExecute SQL statementsStart Telnet serversLast update 03 March 2015