Home / malware Win32/Pluzoks
First posted on 14 March 2012.
Source: MicrosoftAliases :
There are no other names known for Win32/Pluzoks.
Explanation :
Win32/Pluzoks is a trojan that silently downloads and installs other arbitrary files without user consent.
Top
Win32/Pluzoks is a trojan that silently downloads and installs other arbitrary files without user consent. Installation Win32/Pluzoks is installed by other malware, detected as TrojanDownloader:Win32/Pluzoks.A. The Windows registry is modified to run Win32/Pluzoks at each Windows start, as in the following example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunSets value: "ozplusv3"
With data: "<malware file name>.exe" The registry data may change among variants of Win32/Pluzoks.The malware creates data files on an affected computer, as in the following example:
- %windir%\temp\ozplus_conifg.ini
- <current folder>\ozplus_conifg.in i
The file names may differ among variants of the trojan, for example:
- xpeadup7_conifg.ini
- subjet_conifg.ini
Payload
Contacts remote host
Win32/Pluzoks may contact a remote host to download updates of the trojan. The trojan reads a web file (for example, "update.php") to retrieve URL data, as in the following example: [downloadfile]
filecount=2
filename1=evdat2.dmc
fileurl1=http://<domain>/evdat2.dmc
ver1=13
nick1=evdat2.dmc
filename2=ozplus.dll
fileurl2=http://<domain>/1time/ozplus.dll
ver2=18
nick2=ozplus.dllLast update 14 March 2012
