Win32/Poisonivy

Forum for analysis and discussion about malware.

Win32/Poisonivy

Postby markusg » Fri Dec 03, 2010 9:09 pm

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: backdoor

Postby EP_X0FF » Sat Dec 04, 2010 8:46 am

Thank you for sample. This is variant of Backdoor:Win32/Poisonivy.E

Copies itself to %systemroot%\system32\taskeng.exe

Runs every Windows boot through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components under {3C65BAA2-8F50-716F-4A7F-B87ADCC65E0E} key. Upon deletion rewrites them back.

When started - executes Internet Explorer and injects to it payload code. Payload contains link to hmm.no-ip.info and protects taskeng.exe from being deleted (keeps opened handle of file).

Contains blacklist with antivirus executables.

avguard.exe
sched.exe
avgnt.exe
avcenter.exe
avconfig.exe


Topic title changed for actual malware name.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Backdoor:Win32/Poisonivy.E

Postby Brookit » Fri Dec 10, 2010 11:15 pm

This is discontinued Poison Ivy RAT inside a Visual Basic Dropper/Crypter, nothing special.

w*w.poisonivy-rat.com
Human After All
User avatar
Brookit
 
Posts: 119
Joined: Wed Mar 10, 2010 8:01 pm
Reputation point: 58

Re: Backdoor:Win32/Poisonivy.E

Postby Cyberpunk » Tue Dec 14, 2010 7:14 pm

The Poisonivy server is coded in assembly and the client in Delphi /...
Cyberpunk
 
Posts: 6
Joined: Wed Mar 24, 2010 1:33 pm
Reputation point: 0

Re: Malware/Not classified

Postby markusg » Sun May 08, 2011 10:48 am

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware/Not classified

Postby EP_X0FF » Tue May 10, 2011 5:28 pm

Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

New Poison ivy

Postby wayzoken » Sat Oct 15, 2011 7:01 pm

poison ivy the new 2011 version works in Win 7 64 bit 32 Bit Patch HKLMHKCU startup
Borland Delphi written.
weighs only 12kb

http://www.virustotal.com/file-scan/report.html?id=ad1baa3396aab2e1ca176fb0f7dbf6b27c39f4b2eb1cc7309002ac96332c6c48-1318704502

Image
You do not have the required permissions to view the files attached to this post.
wayzoken
 
Posts: 7
Joined: Thu Oct 06, 2011 4:35 pm
Reputation point: 0

TrojanDownloader:Win32/Poison.A

Postby R136a1 » Sat Jan 28, 2012 12:25 pm

Hi there,

if you read the following blog post, you will see a tricky little downloader (even though is written in VB). ;)

https://blogs.technet.com/b/mmpc/archiv ... ected=true

The Poison Ivy shellcode mentioned in the article is here:
http://tasteoftibet.net/1207.html

anybody has a sample of the aforementioned Downloader?
SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: TrojanDownloader:Win32/Poison.A

Postby swirl » Sat Jan 28, 2012 1:18 pm

here it is
You do not have the required permissions to view the files attached to this post.
swirl
 
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm
Reputation point: 8

Re: TrojanDownloader:Win32/Poison.A

Postby R136a1 » Sat Jan 28, 2012 2:23 pm

Thanks!
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests