Home / malwarePDF  

Trojan.Plugfakeav


First posted on 24 October 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Plugfakeav.

Explanation :

When the Trojan is executed, it creates the following files:
%SystemDrive%\Documents and Settings\All Users\Application Data\Google\Chrome\User Data\Default\Extensions\fffdibkepdhebmljdkdjlgibpjpaflhi\2.5_0\page.js%SystemDrive%\Documents and Settings\All Users\Application Data\Google\Chrome\User Data\Default\Extensions\fffdibkepdhebmljdkdjlgibpjpaflhi\2.5_0\back.js%SystemDrive%\Documents and Settings\All Users\Application Data\Google\Chrome\User Data\Default\Extensions\fffdibkepdhebmljdkdjlgibpjpaflhi\2.5_0\manifest.json
When the Trojan is installed, it requests permission to perform the following functions:
Read and change browsing historyRead and change data on visited websitesManage downloadsChange settings that control website access to cookies, JavaScript, plugins, microphones, and camerasManage apps, extensions, and themes
The Trojan displays its name as the following:
Security Shield KIS 2.5
The Trojan receives scripts to inject into web pages from the following remote location:
http:/bestorats.in
The Trojan may inject malicious scripts into web pages displayed on Chrome on the compromised computer.

The Trojan may send the following information back to the remote location:
List of installed Chrome extensions
The Trojan may block advertisements from third party websites.

Last update 24 October 2015

 

TOP