Home Malware Programs Backdoors BKDR_PLUGX.SME

BKDR_PLUGX.SME

Posted: September 21, 2012

Threat Metric

Ranking: 964
Threat Level: 2/10
Infected PCs: 126,766
First Seen: September 21, 2012
Last Seen: October 16, 2023
OS(es) Affected: Windows

BKDR_PLUGX.SME is a primary component of the PlugX Trojan, a module-based backdoor Trojan that compromises your PC's security with a backdoor vulnerability (along with several spyware-related functions). Typical BKDR_PLUGX.SME infections are the result of opening a malicious Word document that can be detected as TROJ_ARTIEF.LWO. Because e-mail remains the most common method of distributing malicious text files like TROJ_ARTIEF.LWO, SpywareRemove.com malware researchers recommend that you stop and contemplate the consequences before you open a seemingly 'safe' file blindly. BKDR_PLUGX.SME uses code injection to conceal itself and remains active even any obvious symptoms. Thus, as is true for most backdoor Trojans, deleting BKDR_PLUGX.SME should rely on anti-malware software preferentially.

Every Little Reason to Stop Your PC from Plugging into BKDR_PLUGX.SME

BKDR_PLUGX.SME is just the first of a total of four major files in a typical PlugX infection that's installed through Adobe Acrobat or Microsoft Office-based exploits. After being installed by TROJ_ARTIEF.LWO (a malicious text document), BKDR_PLUGX.SME is responsible for installing three other PlugX-related files, including BKDR_PLUGX.BUT. Once its installation is completed by BKDR_PLUGX.SME, PlugX injects its code into svchost.exe (which is a standard Windows component). BKDR_PLUGX.SME then deletes itself to avoid detection, although the rest of the PlugX infection will remain on your computer and commence in its attacks.

Some mentionable 'features' that are displayed in various modules for PlugX include (although SpywareRemove.com malware analysts note that this isn't an exhaustive list):

  • Spyware functions, such as recording keyboard input, capturing video or taking screenshots.
  • Granting remote attackers the ability to alter your Registry, delete files, open programs, upload/download information and control which applications can function (at both the Registry level and via control over memory processes).
  • Forcing a reboot, logging the current user off or even locking down the workstation.

Other PlugX-related functions can be used for a range of attacks, such as recruiting your PC into a botnet or installing other forms of malicious applications.

Unplugging BKDR_PLUGX.SME and Every Other PlugX Component

If BKDR_PLUGX.SME completes its installer routine, BKDR_PLUGX.SME will delete itself. However, BKDR_PLUGX.SME's payload should be removed from your computer through anti-malware software, along with all Registry and other system changes. Failure to do this promptly grants criminals the ability to access and control your computer with minimal effort, and may result in compromises to personal information or even damage to your PC.

However, SpywareRemove.com malware research team notes that it's much easier simply to avoid BKDR_PLUGX.SME rather than try to delete PlugX. Watch for suspicious e-mail messages that ask you to open unusual file attachments, particularly for files that use PDF or DOC formats. Deleting these e-mail messages, unopened, is the surest way to prevent BKDR_PLUGX.SME and the rest of PlugX from ever getting a grip on your computer and its contents.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%User Profile%\UdpGf\NvSmartMax.dll File name: %User Profile%\UdpGf\NvSmartMax.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%User Profile%\UdpGf\NvSmart.exe File name: %User Profile%\UdpGf\NvSmart.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%User Profile%\UdpGf\NvSmart.usr File name: %User Profile%\UdpGf\NvSmart.usr
Mime Type: unknown/usr
Group: Malware file
%All Users Profile%\Gf\NvSmartMax.dll File name: %All Users Profile%\Gf\NvSmartMax.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%All Users Profile%\Gf\NvSmart.exe File name: %All Users Profile%\Gf\NvSmart.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%All Users Profile%\Gf\boot.ldr File name: %All Users Profile%\Gf\boot.ldr
Mime Type: unknown/ldr
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST CLSID = "{RANDOM VALUES}"HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\Software\CLASSES\FAST

Additional Information

The following URL's were detected:
typiccor.com
Loading...