Home / malware

PDF

Backdoor:Win32/Poisonivy.gen!A

First posted on 10 February 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Poisonivy.gen!A is also known as Trojan-Downloader.Win32.Obfuscated.aw (Kaspersky), Mal/Behav-204 (Sophos).

Explanation :

Backdoor:Win32/Poisonivy.gen!A is a member of the Win32/Poisonivy family of backdoor trojans. They allow unauthorized access and control of an affected machine, and attempt to hide by injecting themselves into other processes.
Top

Backdoor:Win32/Poisonivy.gen!A is a member of the Win32/Poisonivy family of backdoor trojans. They allow unauthorized access and control of an affected machine, and attempt to hide by injecting themselves into other processes.

Installation
When run, the members of this family may create an instance of explorer.exe or iexplore.exe (or possibly other processes) and inject their custom code into the targeted process. In some cases, the mutex ")!VoqA.I4" is also created.

Payload
Allows backdoor access and control Backdoor:Win32/Poisonivy.gen!A's injected code may attempt to connect via TCP to a remote server in order to allow unauthorized access and control of an affected computer. In the wild, we have observed the following hosts being contacted for this purpose :

heike.kicks-ass.org

pop11.hopto.org

Win32/Poisonivy receives commands to perform different actions over this connection from a remote attacker. This may include downloading and executing arbitrary executable files.

Analysis by Dan Kurc

Last update 10 February 2010

 

TOP