Home / malwarePDF  

Backdoor.Poisonivy.CV


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Backdoor.Poisonivy.CV is also known as Backdoor:W32/PoisonIvy.JT.

Explanation :

When first run, this malware will make a copy of itself in %SYSDIR%, named systio.exe and then deletes the original file. It will also create a file named systio, where it will save information about user's activity. In order to bypass firewall or router protection, it injects its code in the memory space of explorer.exe and firefox.exe (sometimes in the memory space of lsass.exe) and then executes this code. In order to mark its presence in the system it creates a mutex named " )!VoqA.I4 ". It modifies the following registry key in order to run at every system startup:
HKLMSoftwareMicrosoftActiveSetupInstalled Components{2E811653-4F55-1574-0104-010302040505}StubPath
value -> %SYSDIR%systio.exe...

This malware gives access to monitoring user's activity on an infected computer.

Last update 21 November 2011

 

TOP