Home / malware Backdoor:Win32/Poison.M
First posted on 08 June 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/Poison.M is also known as Win-Trojan/Genome.370512 (AhnLab), W32/QQhelper.C.gen!Eldorado (Authentium (Com, Trojan.Win32.Genome.cxic (Kaspersky), BDS/Poison.CPD (Avira), Win32/PoisonIvy!generic (CA), Win32/Poison (ESET).
Explanation :
Backdoor:Win32/Poison.M is the detection for backdoor trojans that allow unauthorized access and control of a computer.
Top
Backdoor:Win32/Poison.M is the detection for backdoor trojans that allow unauthorized access and control of a computer. Installation Backdoor:Win32/Poison.M drops a copy of itself as the following:<system folder>\svc<random characters>. exe %windir%\atctivexobj.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It creates the following registry entry to ensure that its copy is registered as a client component: Adds value: "StubPath" With data: "C:\Windows\atctivexobj.exe" In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID> where <CLSID> is the CLSID for this trojan. It attempts to install itself as a service by creating the following registry entry: Adds value: "Description" With data: "thank you" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MD ServicesB1 Payload Allows backdoor access and control When contacting the remote server to receive commands, Backdoor:Win32/Poison.M injects its code into the running process "explorer.exe". The trojan has been observed connecting to the server "htrcool.vicp.net" using TCP port 3460. The commands that it may receive from the remote server may include downloading and executing arbitrary files or performing DDoS attacks to specified Web sites.
Analysis by Elda DimakilingLast update 08 June 2010