Home / malwarePDF  

Trojan.Dropper.Agent.TUP


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Dropper.Agent.TUP is also known as Backdoor.Win32.Poison.czd, Backdoor:Win32/poisonivy.E.

Explanation :

Files detected with this name are programs that had been packed/protected with a protection system (packer/protector), designed by malware authors to bypass anti-virus protection and to hide malware contents.

Characteristics:

It can be recognized by the presence of one sections with .text name and with imports at the start of the section.

The required imports used by the packer are resolved in a nonstandard way via searching for the kernel32 module in memory and searching for exports names via a precomputed hash.

The packer's code is position independent (relocatable) and (usually) crypted.

Methods used to avoid detection:

It has polymorphic code.

It's code is morphed by inserting garbage instructions, very long (and useless) loops (making it very slow), and/or by constructing the required data in multiple steps via add/sub/xor operations, also inserting garbage calls to null functions

The polymorphic code has been changed very frequently in order to avoid detection of the packed/protected file(s) by the anti-virus products.

Last update 21 November 2011

 

TOP