Win32/Pliskal [Threat Name] go to Threat

Win32/Pliskal.A [Threat Variant Name]

Category trojan
Size 47616 B
Aliases Backdoor:Win32/Crugup.A (Microsoft)
Short description

Win32/Pliskal.A serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%uid%\­svchost.exe

A string with variable content is used instead of %uid% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "z64_kernel" = %appdata%\­%uid%\­svchost.exe
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "z64_kernel" = %appdata%\­%uid%\­svchost.exe
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "z64_kernel" = %appdata%\­%uid%\­svchost.exe

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­%uid%\­svchost.exe" = "%appdata%\­%uid%\­svchost.exe:*:Enabled:svchost"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­%uid%\­svchost.exe" = "%appdata%\­%uid%\­svchost.exe:*:Enabled:svchost"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­%uid%\­svchost.exe" = "%appdata%\­%uid%\­svchost.exe:*:Enabled:svchost"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­%uid%\­svchost.exe" = "%appdata%\­%uid%\­svchost.exe:*:Enabled:svchost"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­FirewallRules]
    • "{06E53A54-390B-4CC7-8AB9-1D6ED8771A85}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%appdata%\­%uid%\­svchost.exe|Name=madservice|"
  • [HKEY_CURRENT_USER\­Software\­cppguru]
    • "mv" = "%encoded_version_of_malware%"
Information stealing

The following information is collected:

  • operating system version
  • unique identifier of infected computer

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • visit a specific website

Trojan can detect presence of debuggers and other analytical tools.

Please enable Javascript to ensure correct displaying of this content and refresh this page.