BKDR_PLUGX.BUT

Posted: September 21, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	10

First Seen:	September 21, 2012
OS(es) Affected:	Windows

BKDR_PLUGX.BUT is one of the primary components of a PlugX backdoor Trojan, a modular Trojan that includes information-stealing functions along with typical backdoor attacks (such as deleting files, launching programs or changing the Registry). Installation for BKDR_PLUGX.BUT begins with a malicious PDF or DOC file that's distributed via e-mail spam and detected by the name TROJ_ARTIEF.LWO. After TROJ_ARTIEF.LWO is launched, it will install the first PlugX component, BKDR_PLUGX.SME, which installs BKDR_PLUGX.BUT and other components before deleting itself. Multi-component techniques along with code injection functions are used by BKDR_PLUGX.BUT and other components to launch PlugX's features, which SpywareRemove.com malware experts consider potentially high-level security risks to your computer. Due to the obfuscation that's employed in this attack, BKDR_PLUGX.BUT and all other parts of PlugX should be removed with anti-malware software when it's required.

The Unpleasant Possibilities That BKDR_PLUGX.BUT Opens Up for Your System

BKDR_PLUGX.BUT is a malicious DLL file that's named to make believe (and act) as a part of NVSmart, a non-malicious Nvidia program. NVSmart is also installed along with BKDR_PLUGX.BUT, and loads BKDR_PLUGX.BUT as though it were a normal DLL file. BKDR_PLUGX.BUT loads additional code from another source and then commences its attacks, with all of the relevant code injected into svchost.exe. SpywareRemove.com malware researchers warn that BKDR_PLUGX.BUT should be considered open and running on an infected PC even if there are no symptoms, since PlugX alters the Registry to include a standard Autostart exploit.

BKDR_PLUGX.BUT's loaded code allows for a range of different attacks, which are organized according to separate modules. SpywareRemove.com malware analysts have noted the following functions from BKDR_PLUGX.BUT as especially mentionable:

The XPlugDisk lets BKDR_PLUGX.BUT rename files, delete them, open them or move them, as well as gather basic file information that can be sent to remote attackers.

XPlugScreen and XPlugKeyLogger can steal information that's displayed on your monitor or typed from your keyboard.

XPlugOption grants BKDR_PLUGX.BUT the option to reboot your PC, log you out of your profile or even lock you out of the workstation.

XPlugRegedit, as you'd expect from its name, lets BKDR_PLUGX.BUT control the Registry. This can allow BKDR_PLUGX.BUT to prevent programs from running (by deleting their Registry entries), to launch programs automatically or to disable a wide range of security and interface features.

The Long, Hard Road to Deleting All Parts of a BKDR_PLUGX.BUT Infection

Because BKDR_PLUGX.BUT, as a part of PlugX, is just one of several components that should be deleted from your computer, SpywareRemove.com malware experts strongly advise you to use anti-malware scans that can detect BKDR_PLUGX.BUT and all related PC threats (such as various Registry entries, TROJ_ARTIEF.LWO and, in cases where it fails to delete itself, BKDR_PLUGX.SME). BKDR_PLUGX.BUT may interfere with using anti-malware software to disinfect your PC, and SpywareRemove.com malware researchers suggest disabling BKDR_PLUGX.BUT before anything else is done.

If Safe Mode (which is available for all Windows PCs) fails to shut BKDR_PLUGX.BUT down, booting your PC from a USB-confined OS should suffice. If BKDR_PLUGX.BUT has been on your PC for a significant period of time, you may also want to take additional steps to secure your personal information, since BKDR_PLUGX.BUT does include features that can steal passwords and equally-sensitive info.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%User Profile%\Gf\NvSmart.exe - a legitimate NVIDIA (NVIDIA Smart Maximise Helper Host)

File name: %User Profile%\Gf\NvSmart.exe - a legitimate NVIDIA (NVIDIA Smart Maximise Helper Host)
Mime Type: unknown/exe - a legitimate NVIDIA (NVIDIA Smart Maximise Helper Host)
Group: Malware file

%User Profile%\Gf\boot.ldr - found as TROJ_PLUGX.SME

File name: %User Profile%\Gf\boot.ldr - found as TROJ_PLUGX.SME
Mime Type: unknown/SME
Group: Malware file

%User Profile%\Gf\NvSmartMax.dll

File name: %User Profile%\Gf\NvSmartMax.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

%User Profile%\SxS\bug.log - error logs of malware

File name: %User Profile%\SxS\bug.log - error logs of malware
Mime Type: unknown/log - error logs of malware
Group: Malware file

{All Users' Profile}\Gf\kl.log

File name: {All Users' Profile}\Gf\kl.log
Mime Type: unknown/log
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf ErrorControl = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf ImagePath = ""All Users' %User Profile%\Gf\NvSmart.exe" 200 0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf Description = "Gf"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf DisplayName = "Gf"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf Type = "110"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf ObjectName = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf Start = "2"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST CLSID = "{RANDOM HEX VALUES}"HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FASTHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf\SecurityHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GfHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gf\Enum;