SecurityHome.eu W32.Plagent

Home / malware PDF

W32.Plagent

First posted on 10 September 2014.
Source: Symantec
Aliases :
There are no other names known for W32.Plagent.
Explanation :
When the worm is executed, it creates the following files:%Windir%\83D2CDE2-8311-40CB-B51D-EBE20FA803D1.dll%Temp%\spoolhost.exe%ProgramFiles%\Common Files\System\coreshell.dll
Next, the worm creates the following registry entry:
HKEY_CLASSES_ROOT\CLSID\{EF7652A4-98EF-5031-226B-11456C96A7EA}\InProcServer32\"(Default)" = "%ProgramFiles%\Common Files\System\\coreshell.dll"

The worm then connects to the following remote location:
[http://]adobeincorp.com/we[REMOVED]

The worm may then receive and process commands from this remote location.

The worm may spread through removable drives.
Last update 10 September 2014

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Family:

W32.Changeup!gen47
W32.Golroted
W32.Meteit!gen1
W32.Tempedreve!gm
W32.Picazburt!gm
W32.IRCBot!gen3
W32.Plagent
W32.Babonock
W32.Meteit!inf
W32.Qakbot!gen9