Follow:

You have been re-routed to the Backdoor:Win32/Poison.E write up because Backdoor%3aWin32%2fPoison.E has been renamed to Backdoor:Win32/Poison.E
 

Backdoor:Win32/Poison.E


Backdoor:Win32/Poison.E is malware that allows a remote attacker to gain backdoor access and control of your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

Backdoor:Win32/Poison.E tries to copy itself to your computer as "<system folder>\svchost.exe".

Note that a legitimate Windows file also named "svchost.exe" exists by default in the same folder. Therefore the copy attempt likely fails.

It creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID>
Sets value: "StubPath"
With data: "<system folder>\svchost.exe"

where <CLSID> is the class ID for this malware.

Payload

Allows backdoor access and control

Backdoor:Win32/Poison.E connects to a remote server to receive commands, allowing a remote attacker to gain access of your computer. To bypass common firewall programs, Backdoor:Win32/Poison.E opens an "iexplore.exe" process and injects itself into it. Once injected into this process, it contacts a remote server to receive commands.

A server it's know to contact is "lsls.3322.org" using TCP port 3460.

Once connected, it performs certain actions as specified by a remote attacker, for example, downloading and running arbitrary files, and logging keystrokes.

Additional information

Backdoor:Win32/Poison.E creates the mutex names "rdgSxQc12" and "nZi1cM,Aw".

Analysis by Jeong Mun


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.187.305.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 07, 2007
This entry was updated on: Mar 20, 2013

This threat is also detected as:
  • Trojan/Win32.Hupigon (AhnLab)
  • BDS/Poisonivy.20.B (Avira)
  • Backdoor.Hupigon.1178 (BitDefender)
  • Backdoor.Poison.IXQ (Rising AV)