Win32/Poison [Threat Name] go to Threat
Win32/Poison.NGT [Threat Variant Name]
| Category | trojan |
| Size | 150937 B |
| Aliases | Backdoor.Trojan (Symantec) |
| Troj/FakeAV-EQF (Sophos) | |
| Trojan-Downloader:W32/Injector.N (F-Secure) |
Short description
Win32/Poison.NGT is a trojan which tries to download other malware from the Internet. The file is run-time compressed using RAR SFX .
Installation
When executed, the trojan creates the following files:
- %temp%\query.exe
- %temp%\query.txt
- C:\Program Files\NetMeeting\netsa.dll
- C:\Windows\java\java.dll
The trojan may create the following files:
- %appdata%\msvcr71.exe
- %system%:msvcr71.exe
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "{647AA609-B451-CBE5-1283-5F68699030BC}" = "%appdata%\msvcr71.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{647AA609-B451-CBE5-1283-5F68699030BC}]
- "StubPath" = "%system%:msvcr71.exe"
This way the trojan ensures that the file is executed on every system start.
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
- %defaultwebbrowser%
Other information
The trojan contains an URL address. It tries to download a file from the address.
The file is executed as a thread in the folowing process:
- %defaultwebbrowser%
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{647AA609-B451-CBE5-1283-5F68699030BC}]
The trojan may delete the following files:
- %temp%\query.exe