Backdoor:Win32/Poison.M is the detection for backdoor trojans that allow unauthorized access and control of a computer.
Backdoor:Win32/Poison.M drops a copy of itself as the following:
<system folder>\svc<random characters>. exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It creates the following registry entry to ensure that its copy is registered as a client component:
Adds value: "StubPath"
With data: "C:\Windows\atctivexobj.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID>
where <CLSID> is the CLSID for this trojan.
It attempts to install itself as a service by creating the following registry entry:
Adds value: "Description"
With data: "thank you"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MD ServicesB1
Allows backdoor access and control
When contacting the remote server to receive commands, Backdoor:Win32/Poison.M injects its code into the running process "explorer.exe". The trojan has been observed connecting to the server
"htrcool.vicp.net" using TCP port 3460.
The commands that it may receive from the remote server may include downloading and executing arbitrary files or performing DDoS attacks to specified Web sites.