TROJ_ARTIEF.LWO is used to refer to a malicious email message that is used to distribute a dangerous remote access tool that has been making headlines in the last year. This remote access tool is known as Korplug or Plugx and allows criminals to take control of the infected computer from a remote location. If you have been exposed to the TROJ_ARTIEF.LWO malicious email message, ESG security researchers strongly advise to make sure that your computer has not been compromised. To do this, ESG malware researchers advise using a reliable, powerful anti-malware application.
The TROJ_ARTIEF.LWO Phishing Email Message
The TROJ_ARTIEF.LWO phishing email message will typically impersonate a legitimate sender and will include a dangerous file attachment. This malicious file attachment will typically include a Trojan dropper that will install BKDR_PLUGX.SME, a dangerous Trojan infection that installs both a backdoor on the infected computer and the Plugx remote access tool itself. This dangerous Trojan will often drop other files, such as NvSmart.exe, a legitimate file belonging to the NVIDIA family of graphic card-related software. TROJ_ARTIEF.LWO is specifically used to refer to the malicious email attachment contained in this phishing email message. However, since this email attachment can take various forms, it is usually simpler to use this term to refer to the malicious email message itself. The TROJ_ARTIEF.LWO attack can be contained in various kinds of attachments. Some examples of ways in which TROJ_ARTIEF.LWO can be attached to an email message include the following:
- TROJ_ARTIEF.LWO may take the form of a compressed archive, usually in RAR or ZIP format. These have often been the preferred methods of delivery for malicious executable files because the contents of an archive can seldom be analyzed until the whole archive is downloaded and its contents extracted. These kinds of archives will often contain an Autorun file that will ensure that the malicious code is executed as soon as the archive is opened.
- TROJ_ARTIEF.LWO may also be contained directly in an executable file which uses the EXE extension. However, the name and icon of the file will be altered to make it seem as if the file is something else. This method is quickly falling out of favor among malware distributors because most computer users, even those that are quite inexperienced, know that they should be careful with unknown executable files (this is helped by the fact that their computer will often display an automatic warning whenever the computer user tries to download an executable file.
- One of the most common methods of distribution of TROJ_ARTIEF.LWO in the last year involves taking advantage of vulnerabilities in Adobe Acrobat Reader or in Microsoft Word or Excel. These kinds of file attachments will be particularly effective because the attack will be contained in either a DOC, PDF, or XLS document, all formats that have traditionally been considered to be safe.
How Can You Detect TROJ_ARTIEF.LWO?
TROJ_ARTIEF.LWO Removal Details
TROJ_ARTIEF.LWO has typically the following processes in memory:
- %User Temp%\dw20.exe
TROJ_ARTIEF.LWO creates the following files in the system:
- %User Temp%\~WINWORD