BKDR_PLUGX.NSC

如需此「間諜程式」的快速全面一覽，請參閱下面的「安全威脅圖表」。

它执行远程恶意用户的命令，有效地攻击受感染的系统。

它在执行后自行删除。

安装

它在受感染的系统中植入下列自身副本：

• %All Users Profile%\DRM\RasTls.exe

它植入下列文件/组件：

• %All Users Profile%\DRM\RasTls\{random file name} - Non-malicious

它创建下列文件夹：

• %All Users Profile%\DRM
• %All Users Profile%\DRM\RasTls

它向下列普通进程中注入线程：

• svchost.exe

其他系统修改

它添加下列注册表键值作为其安装例程的一部分:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\User Agent\Post Platform

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
User Agent\Post Platform

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Setttings\
5.0\User Agent

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Setttings\
User Agent

后门例程

它执行远程恶意用户的下列命令：

• Copy, move, rename, delete files
• Create directories
• Create files
• Enumerate files
• Execute files
• Get drive information
• Get file information
• Open and modify files
• Log keystrokes and active window
• Enumerate TCP and UDP connections
• Enumerate network resources
• Set TCP connection state
• Lock workstation
• Log off user
• Restart/Reboot/Shutdown system
• Display a message box
• Perfrom port mapping
• Enumerate processes
• Get process information
• Terminate processes
• Enumerate registry keys
• Create registry keys
• Delete registry keys
• Copy registry keys
• Enumerate registry entries
• Modify registry entries
• Delete registry values
• Screen capture
• Delete services
• Enumerate services
• Get service information
• Modify services
• Start services
• Perform remote shell
• Connect to a database server and execute SQL statement
• Host Telnet server

其他详细信息

它在执行后自行删除。