Win32/Korplug [Threat Name] go to Threat

Win32/Korplug.HM [Threat Variant Name]

Category trojan
Size 293903 B
Aliases Trojan.Win32.PlugX.b (Kaspersky)
  TR/Korplug.aiqaj (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using RAR SFX .


When executed, the trojan creates the following files:

  • %malwaretargetfolder%\­mcut.exe
  • %malwaretargetfolder%\­mcutil.dll
  • %malwaretargetfolder%\­

The %targetmalwarefolder% is one of the following strings:

  • %systemdrive%\­ProgramData\­rZnmnSnXTvrDoz\­
  • %systemdrive%\­Documents and Settings\­All Users\­DRM\­rZnmnSnXTvrDoz\­
  • %systemdrive%\­Documents and Settings\­All Users\­Application Data\­rZnmnSnXTvrDoz\­

The trojan may register itself as a system service using the following name:

  • rSzrXHPc

The trojan may set the following Registry entries:

  • [KEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "gMsoBAlQaIyM" = "%malwaretargetfolder%\­mcut.exe"

This causes the trojan to be executed on every system start.

Information stealing

Win32/Korplug.HM is a trojan that steals sensitive information.

The following information is collected:

  • information about the infected computer
  • operating system version
  • computer name
  • user name
  • CPU information
  • display resolution
  • amount of operating memory
  • proxy server settings
  • files and Registry entries
  • list of running processes
  • list of running services
  • logged keystrokes
  • screenshots
  • number of milliseconds that have elapsed since the system was started

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The TCP, HTTP protocol is used in the communication.

It may perform the following actions:

  • show fake alerts
  • log off the current user
  • shut down/restart the computer
  • simulate keyboard activity
  • simulate mouse activity
  • simulate user's input (clicks, taps)
  • create files
  • rename files
  • copy files
  • move files
  • delete files
  • create folders
  • delete folders
  • delete Registry entries
  • delete Registry entries
  • terminate running processes
  • execute shell commands
  • execute SQL commands

The trojan can create and run a new thread with its own program code within the following processes:

  • iexplore.exe
  • svchost.exe
  • msiexec.exe

The trojan may create the following files:

  • %malwaretargetfolder%\­%variable%
  • %malwaretargetfolder%\­mcut\­screen\­%YYYYMMDDhhmmss%.jpg

A string with variable content is used instead of %variable%, %YYYYMMDDhhmmss% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.