Home / malware Trojan:Win32/Plexardu.A
First posted on 10 September 2012.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Plexardu.A.
Explanation :
Trojan:Win32/Plexardu.A is a network-sniffing trojan that intercepts Internet traffic and steals sensitive information.
Installation
Trojan:Win32/Plexardu.A is dropped on your computer by TrojanDropper:Win32/Plexardu.A, along with TrojanClicker:Win32/Plexardu.A, as the following files:
- <system folder>\"devenv.exe", detected as Trojan:Win32/Plexardu.A
- %windir%\system\"services.exe", detected as TrojanClicker:Win32/Plexardu.A
TrojanDropper:Win32/Plexardu.A also drops DLL files that belong to the WinPcap program, which the trojan uses to capture data transmitted over your network.
Note that the WinPcap program is not a malicious program in itself; the trojan installs and uses the program's files to spy on your computer's network activities.
When run, Trojan:Win32/Plexardu.A checks that you are connected to the Internet by contacting www.baidu.com, and then runs its payload.
If it doesn't find an Internet connection, it continues to check until one is established.
Trojan:Win32/Plexardu.A creates a mutex named "awxaglqbpzjg". Generally, malware create mutexes to serve as "infection markers", which prevent multiple instances of the malware from running on your computer.
Payload
Redirects Internet connections
Trojan:Win32/Plexardu.A uses the WinPcap DLL files to perform the following actions on your network:
- Redirect Internet traffic away from your computer to an attacker's computer
- Redirect certain websites to other addresses
Steals sensitive information
Trojan:Win32/Plexardu.A may also steal your FTP server user names and passwords, so that an attacker could access your FTP server or network using your logon details.
Contacts remote hosts
The trojan connects to the following domains, possibly to obtain a list of Internet sites to redirect to:
- http://www.ikkpk.com/
- http://www.zxslb.com/
Note: At the time of analysis we were unable to confirm the purpose of this behavior or obtain a list of the targeted websites or addresses.
Related encyclopedia entries
TrojanDropper:Win32/Plexardu.A
TrojanClicker:Win32/Plexardu.A
Analysis by Mihai Calota
Last update 10 September 2012