Win32/Korplug [Threat Name] go to Threat

Win32/Korplug.A [Threat Variant Name]

Category trojan
Size 296726 B
Detection created Jul 05, 2012
Detection database version 10224
Aliases Backdoor:Win32/Plugx.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using RAR SFX .


When executed, the trojan creates the following files:

  • %allusersprofile%\­MicroSys\­Mc.Exe (140576 B)
  • %allusersprofile%\­MicroSys\­McUtil.dll (49152 B, Win32/Korplug.BL)
  • %allusersprofile%\­MicroSys\­McUtil.dll.url (124587 B, Win32/Korplug.BL)

The trojan registers itself as a system service using the following name:

  • MicroSys

This causes the trojan to be executed on every system start.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MicroSys" = "%allusersprofile%\­MicroSys\­Mc.Exe"

The trojan launches the following processes:

  • %systemroot%\­system32\­svchost.exe
  • %systemroot%\­system32\­msiexec.exe

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

Win32/Korplug.A is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • user name
  • CPU information
  • memory status
  • display resolution
  • operating system version
  • list of running services
  • the path to specific folders

The trojan is able to log keystrokes.

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The TCP, UDP, HTTP protocol is used.

It can execute the following operations:

  • obtain the list of shared network folders
  • send files to a remote computer
  • send the list of disk devices and their type to a remote computer
  • send the list of running processes to a remote computer
  • send the list of files on a specific drive to a remote computer
  • send open TCP and UDP port numbers to a remote computer
  • uninstall itself
  • log off the current user
  • shut down/restart the computer
  • display a dialog window
  • create folders
  • various filesystem operations
  • various Registry operations
  • download files from a remote computer and/or the Internet
  • run executable files
  • start/stop services
  • execute shell commands
  • simulate user's input (clicks, taps)
  • execute SQL commands
  • capture screenshots

The trojan hides its presence in the system.

The trojan can be used to gain full access to the compromised computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.