SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Dropper.A_1176
Dropper.A_1176 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes
It drops the following file(s) on the system:
  • "C:\WINDOWS\system32\Microsoft\Pluguin.exe"

Process Related Changes
It creates the following mutex(es):
  • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
  • ZonesLockedCacheCounterMutex"
  • c:!documents and settings!admin!local settings!history!history.ie5!"
  • _x_X_PASSWORDLIST_X_x_"
  • Pluguin_PERSIST"
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • MSCTF.Shared.MUTEX.MPC"
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • ZoneAttributeCacheCounterMutex"
  • Pluguin_SAIR"
  • Pluguin"
  • ZonesCacheCounterMutex"
  • ZonesCounterMutex"
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • _x_X_UPDATE_X_x_"
  • _x_X_BLOCKMOUSE_X_x_"
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • c:!documents and settings!admin!cookies!"

It creates the following process(es):
  • C:\Documents and Settings\Admin\Local Settings\Temp\Software.exe
  • C:\WINDOWS\Temp\128d0ab230d6da5ac3fcc34484d74325.exe [ \c:\windows\temp\128d0ab230d6da5ac3fcc34484d74325.exe ]
  • C:\WINDOWS\system32\Microsoft\Pluguin.exe
  • C:\Program Files\Internet Explorer\iexplore.exe

It injects malicious code into the following process(es):
  • "C:\WINDOWS\explorer.exe"
  • "C:\Program Files\Internet Explorer\iexplore.exe"

Network Activity
We observed the following DNS query/queries:
  • virusss.no-ip.org

It attempts to connect to the following remote servers:
  • 192.1xxxxxx:1413

Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot:
  • HKLM\system\CurrentControlSet\Services\tcpip\parameters\= C:\WINDOWS\system32\Microsoft\Pluguin.exe
  • HKU\s-1-5-21-1078081533-842925246-854245398-1003\software\microsoft\windows\currentversion\policies\explorer\run\= C:\WINDOWS\system32\Microsoft\Pluguin.exe
  • HKLM\software\microsoft\activesetup\installedcomponents\d7522wx6-50cp-jrh1-a842-xjldx31tyk32\= C:\WINDOWS\system32\Microsoft\Pluguin.exe
  • HKLM\software\microsoft\windows\currentversion\policies\explorer\run\= C:\WINDOWS\system32\Microsoft\Pluguin.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\= C:\WINDOWS\system32\Microsoft\Pluguin.exe
  • HKU\s-1-5-21-1078081533-842925246-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run\= C:\WINDOWS\system32\Microsoft\Pluguin.exe


Relevant Information