Trojan Win32 korplug msr là gì

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• "%System%\rundll32.exe" %System%\shell32.dll,OpenAs_RunDLL {malware file path and name}
• {malware file path and name}
• %System%\svchost.exe -k netsvcs
• %System%\svchost.exe -k WerSvcGroup
• %Windows%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
• %System%\svchost.exe -k LocalServiceAndNoImpersonation
• %Windows%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
• %System%\sppsvc.exe
• "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

• %Windows%\ServiceProfiles\NetworkService\AppData\Local\Microsoft

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Other System Modifications

This Trojan deletes the following files:

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Adobe\Acrobat Reader DC\
Reader
AcroRd32.exe = "Adobe Acrobat Reader DC "

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Windows%\eHome
ehshell.exe = "Windows Media Center"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%System%
mspaint.exe = "Paint"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\MICROS~1\Office12
OIS.EXE = "Microsoft Office Picture Manager"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Windows Photo Viewer
PhotoViewer.dll = "Windows Photo Viewer"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%System Root%\Program Files\VMware\
VMware Tools
VMwareHostOpen.exe = "Default Host Application"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Microsoft Office\Office12
WINWORD.EXE = "Microsoft Office Word"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Windows Media Player
wmplayer.exe = "Windows Media Player"

HKEY_CURRENT_USER\Software\Classes\
Local Settings\Software\Microsoft\
Windows\Shell\MuiCache\
%Program Files%\Windows NT\Accessories
WORDPAD.EXE = "WordPad"

Dropping Routine

This Trojan drops the following files:

• %All Users Profile%\Microsoft\Windows\DRM\drmstore.hds
• %All Users Profile%\Microsoft\Windows\DRM\v3ks.sec
• %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

This report is generated via an automated analysis system.