A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3834  by EP_X0FF
 Sat Dec 04, 2010 8:46 am
Thank you for sample. This is variant of Backdoor:Win32/Poisonivy.E

Copies itself to %systemroot%\system32\taskeng.exe

Runs every Windows boot through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components under {3C65BAA2-8F50-716F-4A7F-B87ADCC65E0E} key. Upon deletion rewrites them back.

When started - executes Internet Explorer and injects to it payload code. Payload contains link to hmm.no-ip.info and protects taskeng.exe from being deleted (keeps opened handle of file).

Contains blacklist with antivirus executables.
Topic title changed for actual malware name.
 #3918  by Brookit
 Fri Dec 10, 2010 11:15 pm
This is discontinued Poison Ivy RAT inside a Visual Basic Dropper/Crypter, nothing special.

 #11321  by R136a1
 Sat Jan 28, 2012 12:25 pm
Hi there,

if you read the following blog post, you will see a tricky little downloader (even though is written in VB). ;)

https://blogs.technet.com/b/mmpc/archiv ... ected=true

The Poison Ivy shellcode mentioned in the article is here:

anybody has a sample of the aforementioned Downloader?
SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182