Home / malware Backdoor:Win32/Poison
First posted on 04 February 2009.
Source: SecurityHomeAliases :
Backdoor:Win32/Poison is also known as Also Known As:Mal/Behav-285 (Sophos), Backdoor.PoisonIvy.CV (BitDefender), Packed.Win32.Black.a (Kaspersky), W32/Sdbot.worm (McAfee), W32.IRCBot (Symantec).
Explanation :
Backdoor:Win32/Poison is the detection for backdoor trojans that allows unauthorized access and control of an affected machine. It attempts to hide by injecting itself into other processes.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Backdoor:Win32/Poison is the detection for backdoor trojans that allows unauthorized access and control of an affected machine. It attempts to hide by injecting itself into other processes.
Installation
When executed, this trojan creates a remote thread in "explorer.exe". It then copies itself in the system, for example:
%windir%poisen.exe It then deletes its originally running copy. It then creates the following registry entry so that its copy automatically runs every time Windows starts:
Adds value: "StubPath"
With data: "%windir%poisen.exe"
To subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components<CLSID> where <CLSID> is the CLSID for this trojan.
Payload
Backdoor FunctionalityWhen contacting the remote server in order to receive commands, Backdoor:Win32/Poison starts iexplore.exe and injects itself in it, in an attempt to evade common firewall programs. Once injected into iexplore.exe, it contacts a remote server to receive commands. A server it has been known to connect to, for example, is "harryharry.no-ip.biz" using TCP port 3460. The commands that it may receive from the remote server may include downloading and executing arbitrary files.
Analysis by Elda DimakilingLast update 04 February 2009
