Home / malware

PDF

TrojanDownloader:Win32/Poison.A

First posted on 22 February 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Poison.A is also known as Win-Trojan/Jorik.20480.K (AhnLab), TR/Agent.20480.114 (Avira), Win32.HLLW.Autoruner1.11186 (Dr.Web), Trojan.Win32.Jorik.PoisonIvy.rr (Kaspersky), Troj/DwnLdr-JNS (Sophos), BKDR_POISONDLD.A (Trend Micro).

Explanation :

TrojanDownloader:Win32/Poison.A is a small trojan executable that downloads and executes a variant of Win32/Poison (aka "Poison Ivy"), a trojan that allows unauthorized access of an affected host computer.


Top

TrojanDownloader:Win32/Poison.A is a small trojan executable that downloads and executes a variant of Win32/Poison (aka "Poison Ivy"), a trojan that allows unauthorized access of an affected host computer.

Installation

TrojanDownloader:Win32/Poison.A may be installed by other malware. When run, the trojan executes its file downloading payload.



Payload

Downloads malware
The trojan connects to a compromised website to retrieve non-executable data in the following example hexadecimal format:



The trojan injects the downloaded hex code into its own running process and copies itself to the Windows system folder as "misys.exe". The new file is a variant of Win32/Poison.

Additional information

For more information about Win32/Poison, see the description elsewhere in the encyclopedia.



Analysis by Daniel Radu

Last update 22 February 2012

 

TOP