BKDR_PLUGX.BUT Description

BKDR_PLUGX.BUT is a backdoor Trojan that is distributed to the affected computer by other computer infections, specifically BKDR_PLUGX.SME. BKDR_PLUGX.BUT is a remote access tool (RAT) recognized as PlugX. BKDR_PLUGX.BUT is one of the most common malware threats used in conducting targeted attacks which are mainly directed towards Japanese government institutions. BKDR_PLUGX.BUT performs commands given by remote attackers in order to infect targeted computer systems. BKDR_PLUGX.BUT records keystrokes and active window of a victimized computer to steal confidential information.

BKDR_PLUGX.BUT connects to several domains and a C&C server to receive commands from cybercrooks for malicious activities. After installation, BKDR_PLUGX.BUT adds melevolent files. BKDR_PLUGX.BUT inserts itself into the svchost.exe process as component of its memory residency routine. BKDR_PLUGX.BUT registers its downloaded component as a system service by creating the certain registry entries and keys so that it can launch automatically whenever Windows is started.

Type: Backdoors

How Can You Detect BKDR_PLUGX.BUT?

BKDR_PLUGX.BUT Removal Details

BKDR_PLUGX.BUT has typically the following processes in memory:

• All Users’ %User Profile%\Gf\NvSmartMax.dll

BKDR_PLUGX.BUT creates the following files in the system:

• {All Users’ Profile}\Gf\kl.log
• All Users’ %User Profile%\Gf\boot.ldr – detected as TROJ_PLUGX.SME
• All Users’ %User Profile%\Gf\NvSmart.exe – a legitimate NVIDIA (NVIDIA Smart Maximise Helper Host)

BKDR_PLUGX.BUT creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf Description = “Gf”
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf\Enum;
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf ImagePath = “”All Users’ %User Profile%\Gf\NvSmart.exe” 200 0″
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf Type = “110″
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf Start = “2″
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf ErrorControl = “0″
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf DisplayName = “Gf”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf ObjectName = “LocalSystem”
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST CLSID = “{random hex values}”

Important Article Disclaimer