Win32/Pliskal [Threat Name] go to Threat

Win32/Pliskal.C [Threat Variant Name]

Category trojan
Size 92160 B
Detection created Sep 12, 2016
Signature database version 14110
Aliases Trojan.Win32.Reconyc.hspp (Kaspersky)
  Trojan.PWS.Sphinx.2 (Dr.Web)
  Backdoor:Win32/Crugup.B (Microsoft)
Short description

Win32/Pliskal.C is a trojan which tries to download other malware from the Internet. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%\­svchost.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Quant" = "%appdata%\­%variable%\­svchost.exe"

The trojan creates the following files:

  • %appdata%\­%machineid%\­svchost.exe:Zone.Identifier (0 B)
  • %temp%\­per (67 B)

A string with variable content is used instead of %variable%, %machineid% .


The trojan executes the following command:

  • netsh advfirewall firewall add rule name="Quant" program="%appdata%\­%variable%\­svchost.exe" dir=Out action=allow

The performed command creates an exception in the Windows Firewall.


The trojan executes the following commands:

  • cmd /c echo Y|CACLS "%appdata%\­%variable%\­svchost.exe" /P"%username%:R"
  • cmd /c echo Y|CACLS "%appdata%\­%variable%" /P"%username%:R"
  • regini %temp%\­per
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address.


It tries to download several files from the address.


These are stored in the following locations:

  • %appdata%\­%variable%\­zs.dll
  • %appdata%\­%variable%\­sqlite3.dll
  • %appdata%\­%variable%\­bs.dll

The files are then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.