Home / malwarePDF  

Trojan:Win32/Plexardu.A


First posted on 10 September 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Plexardu.A.

Explanation :



Trojan:Win32/Plexardu.A is a network-sniffing trojan that intercepts Internet traffic and steals sensitive information.



Installation

Trojan:Win32/Plexardu.A is dropped on your computer by TrojanDropper:Win32/Plexardu.A, along with TrojanClicker:Win32/Plexardu.A, as the following files:

  • <system folder>\"devenv.exe", detected as Trojan:Win32/Plexardu.A
  • %windir%\system\"services.exe", detected as TrojanClicker:Win32/Plexardu.A


TrojanDropper:Win32/Plexardu.A also drops DLL files that belong to the WinPcap program, which the trojan uses to capture data transmitted over your network.

Note that the WinPcap program is not a malicious program in itself; the trojan installs and uses the program's files to spy on your computer's network activities.

When run, Trojan:Win32/Plexardu.A checks that you are connected to the Internet by contacting www.baidu.com, and then runs its payload.

If it doesn't find an Internet connection, it continues to check until one is established.

Trojan:Win32/Plexardu.A creates a mutex named "awxaglqbpzjg". Generally, malware create mutexes to serve as "infection markers", which prevent multiple instances of the malware from running on your computer.



Payload

Redirects Internet connections

Trojan:Win32/Plexardu.A uses the WinPcap DLL files to perform the following actions on your network:

  • Redirect Internet traffic away from your computer to an attacker's computer
  • Redirect certain websites to other addresses


Steals sensitive information

Trojan:Win32/Plexardu.A may also steal your FTP server user names and passwords, so that an attacker could access your FTP server or network using your logon details.

Contacts remote hosts

The trojan connects to the following domains, possibly to obtain a list of Internet sites to redirect to:

  • http://www.ikkpk.com/
  • http://www.zxslb.com/


Note: At the time of analysis we were unable to confirm the purpose of this behavior or obtain a list of the targeted websites or addresses.

Related encyclopedia entries

TrojanDropper:Win32/Plexardu.A

TrojanClicker:Win32/Plexardu.A



Analysis by Mihai Calota

Last update 10 September 2012

 

TOP