Page 1 of 2


PostPosted:Fri Dec 03, 2010 9:09 pm
by markusg

Re: backdoor

PostPosted:Sat Dec 04, 2010 8:46 am
by EP_X0FF
Thank you for sample. This is variant of Backdoor:Win32/Poisonivy.E

Copies itself to %systemroot%\system32\taskeng.exe

Runs every Windows boot through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components under {3C65BAA2-8F50-716F-4A7F-B87ADCC65E0E} key. Upon deletion rewrites them back.

When started - executes Internet Explorer and injects to it payload code. Payload contains link to and protects taskeng.exe from being deleted (keeps opened handle of file).

Contains blacklist with antivirus executables.
Topic title changed for actual malware name.

Re: Backdoor:Win32/Poisonivy.E

PostPosted:Fri Dec 10, 2010 11:15 pm
by Brookit
This is discontinued Poison Ivy RAT inside a Visual Basic Dropper/Crypter, nothing special.


Re: Backdoor:Win32/Poisonivy.E

PostPosted:Tue Dec 14, 2010 7:14 pm
by Cyberpunk
The Poisonivy server is coded in assembly and the client in Delphi /...

Re: Malware/Not classified

PostPosted:Sun May 08, 2011 10:48 am
by markusg

Re: Malware/Not classified

PostPosted:Tue May 10, 2011 5:28 pm
by EP_X0FF

New Poison ivy

PostPosted:Sat Oct 15, 2011 7:01 pm
by wayzoken
poison ivy the new 2011 version works in Win 7 64 bit 32 Bit Patch HKLMHKCU startup
Borland Delphi written.
weighs only 12kb ... 1318704502



PostPosted:Sat Jan 28, 2012 12:25 pm
by R136a1
Hi there,

if you read the following blog post, you will see a tricky little downloader (even though is written in VB). ;) ... ected=true

The Poison Ivy shellcode mentioned in the article is here:

anybody has a sample of the aforementioned Downloader?
SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182

Re: TrojanDownloader:Win32/Poison.A

PostPosted:Sat Jan 28, 2012 1:18 pm
by swirl
here it is

Re: TrojanDownloader:Win32/Poison.A

PostPosted:Sat Jan 28, 2012 2:23 pm
by R136a1