Page 1 of 2

Win32/Poisonivy

PostPosted:Fri Dec 03, 2010 9:09 pm
by markusg

Re: backdoor

PostPosted:Sat Dec 04, 2010 8:46 am
by EP_X0FF
Thank you for sample. This is variant of Backdoor:Win32/Poisonivy.E

Copies itself to %systemroot%\system32\taskeng.exe

Runs every Windows boot through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components under {3C65BAA2-8F50-716F-4A7F-B87ADCC65E0E} key. Upon deletion rewrites them back.

When started - executes Internet Explorer and injects to it payload code. Payload contains link to hmm.no-ip.info and protects taskeng.exe from being deleted (keeps opened handle of file).

Contains blacklist with antivirus executables.
avguard.exe
sched.exe
avgnt.exe
avcenter.exe
avconfig.exe
Topic title changed for actual malware name.

Re: Backdoor:Win32/Poisonivy.E

PostPosted:Fri Dec 10, 2010 11:15 pm
by Brookit
This is discontinued Poison Ivy RAT inside a Visual Basic Dropper/Crypter, nothing special.

w*w.poisonivy-rat.com

Re: Backdoor:Win32/Poisonivy.E

PostPosted:Tue Dec 14, 2010 7:14 pm
by Cyberpunk
The Poisonivy server is coded in assembly and the client in Delphi /...

Re: Malware/Not classified

PostPosted:Sun May 08, 2011 10:48 am
by markusg

Re: Malware/Not classified

PostPosted:Tue May 10, 2011 5:28 pm
by EP_X0FF

New Poison ivy

PostPosted:Sat Oct 15, 2011 7:01 pm
by wayzoken
poison ivy the new 2011 version works in Win 7 64 bit 32 Bit Patch HKLMHKCU startup
Borland Delphi written.
weighs only 12kb

http://www.virustotal.com/file-scan/rep ... 1318704502

Image

TrojanDownloader:Win32/Poison.A

PostPosted:Sat Jan 28, 2012 12:25 pm
by R136a1
Hi there,

if you read the following blog post, you will see a tricky little downloader (even though is written in VB). ;)

https://blogs.technet.com/b/mmpc/archiv ... ected=true

The Poison Ivy shellcode mentioned in the article is here:
http://tasteoftibet.net/1207.html

anybody has a sample of the aforementioned Downloader?
SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182

Re: TrojanDownloader:Win32/Poison.A

PostPosted:Sat Jan 28, 2012 1:18 pm
by swirl
here it is

Re: TrojanDownloader:Win32/Poison.A

PostPosted:Sat Jan 28, 2012 2:23 pm
by R136a1
Thanks!