Home / malware Virus:Win32/Slugin.A
First posted on 09 March 2019.
Source: MicrosoftAliases :
Virus:Win32/Slugin.A is also known as Win32/Slugin.A, Trojan.Win32.Patched.dj, W32/Slugin-A, Win32/Slugin.A, Win32.Slugin.A, W32/Wplugin, W32/Wplugin.A.
Explanation :
Installation
Virus:Win32/Slugin.A tries to create the file "Wplugin.dll" in one of your computer's Application Data folders. It may also create a file named "explorer.exe.local" in the Windows folder.
It sends an email to the following addresses to notify them that your PC has been infected:
cvmb@hotmail.com sv003@yahoo.com
It also creates the file "%LOCALAPPDATA%MicrosoftExplorerWin32Cfg.cfg", which contains virus configuration details.
Spreads via...
File infection
Virus:Win32/Slugin.A infects all .EXE and .DLL files in all available drives, including removable drives.
It may display the following message box if it tries to infect a file in, for example, drive A:
1 Payload
Creates other malware
Virus:Win32/Slugin.A creates the following .DLL components in your computer:
%LOCALAPPDATA% wplugin.dll %ProgramFiles% Messengerws2help.dll %windir% system32Wplugin.dll %windir% system32ws2help.dll %windir% Wplugin.dll %windir% ws2help.dll
These files are detected as Virus:Win32/Slugin.A!dll.
Allows backdoor access and control
Virus:Win32/Slugin.A opens multiple TCP ports between 10100 and 10300 to listen to commands from a remote attacker. These commands include, but are not limited to, the following:
Uploading and downloading files Starting or stopping system services Sending spam messages
Your computer may display the following message box, as this virus tries to allow a remote attacker to connect and listen in on your computer:
1
Steals PC information
Virus:Win32/Slugin.A can send an email to the address "cvbm@hotmail.com", containing information about your PC, such as your network configuration. The email is sent from the address "sv003@yahoo.com" and has the subject workshop".
Analysis by Patrik Vicol and Jim WangLast update 09 March 2019
