Home / malware Backdoor:Win32/Poison.E
First posted on 21 March 2013.
Source: MicrosoftAliases :
Backdoor:Win32/Poison.E is also known as Trojan/Win32.Hupigon (AhnLab), BDS/Poisonivy.20.B (Avira), Backdoor.Hupigon.1178 (BitDefender), Backdoor.Poison.IXQ (Rising AV).
Explanation :
Installation
Backdoor:Win32/Poison.E tries to copy itself to your computer as "<system folder>\svchost.exe".
Note that a legitimate Windows file also named "svchost.exe" exists by default in the same folder. Therefore the copy attempt likely fails.
It creates the following registry entry so that it automatically runs every time Windows starts:
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID>
Sets value: "StubPath"
With data: "<system folder>\svchost.exe"
where <CLSID> is the class ID for this malware.
Payload
Allows backdoor access and control
Backdoor:Win32/Poison.E connects to a remote server to receive commands, allowing a remote attacker to gain access of your computer. To bypass common firewall programs, Backdoor:Win32/Poison.E opens an "iexplore.exe" process and injects itself into it. Once injected into this process, it contacts a remote server to receive commands.
A server it's know to contact is "lsls.3322.org" using TCP port 3460.
Once connected, it performs certain actions as specified by a remote attacker, for example, downloading and running arbitrary files, and logging keystrokes.
Additional information
Backdoor:Win32/Poison.E creates the mutex names "rdgSxQc12" and "nZi1cM,Aw".
Analysis by Jeong Mun
Last update 21 March 2013
