Win32/Poison [Threat Name]
| Detection created | 2007-06-27 |
| World activity peak | 2009-01-14 (0.62 %) |
Short description
Win32/Poison is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %system%\%variable1%.exe
- %appdata%\%variable1%.exe
The trojan can create copies of itself as an ADS (Alternative Data Stream) of the following files:
- %system%
- %appdata%
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{%variable2%}]
- "StubPath" = "%copiedmalwarefilepath%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "pvp" = "%copiedmalwarefilepath%"
This way the trojan ensures that the file is executed on every system start.
A string with variable content is used instead of %variable1-2% .
The trojan may delete the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{%variable2%}]
The trojan can create and run a new thread with its own program code within the following processes:
- %originalmalwarefilename%
- explorer.exe
- %defaultbrowser%
Other information
The trojan contains a URL address.
It tries to download the other part of the infiltration from the address.
The file is executed as a thread in the folowing process:
- %copiedfilepath%
- explorer.exe
- %defaultbrowser%
The HTTP protocol is used.
The trojan is able to log keystrokes.
Threat Variants with Description
| Threat Variant Name | Date Added | Threat Type | |
| Win32/Poison.NGT | 2011-10-27 | trojan | |
| Win32/Poison.NAE | 2008-01-17 | trojan |