PlugX or Korplug

     Some of you may have heard about a campaign using Poison Ivy to target users in Japan, China, and Taiwan. The same group is now developing a new RAT (Remote Administration Tool) called PlugX or Korplug. They seem to be distributing both side by side and are using some of the same servers to control both. This Trojan is detected as "Backdoor.Win32.Plugx". The Trojan is being deployed in attachments to spam mail (examples provided here). Some variants of this virus may be signed with stolen certificates.

    How to remove:
    Most Antivirus programs (such as Norton and Nod32) detect and remove this Trojan, so running a scan with any of these should get rid of the problem. However, it is possible to manually remove this trojan by following these steps (provided by 2-spyware)

1. Delete registry values: 
1. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SXS
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SxS
2. Delete files: 
1. %UserProfile%\SxS\bug.log 
2. %UserProfile%\SxS\rc.exe 
3. %UserProfile%\SxS\rc.hlp 
4. %UserProfile%\SxS\rcdll.dll

Sorry for this short post, more information on this threat will be posted later. Be sure to check the sources for more information and continued reading.

Remember to comment with a topic for my next post.



Sources:
TrendMicro
Symantec