Threat behavior
Poisonivy is a backdoor trojan that allows unauthorized access and control of an affected machine. It attempts to hide by injecting itself into other processes.
Installation
When executed, the backdoor creates a remote thread in explorer.exe. It then copies itself to c:\windows:svvchost.exe, and deletes the original trojan executable.
The following registry entry is modified in order to execute the trojan automatically:
Adds value: "StubPath"
With data: "c:\windows:svvchost.exe"
To subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<CLSID>
Payload
Backdoor Functionality
When contacting the remote server in order to receive commands, PoisonIvy starts iexplore.exe and injects into it, thus attempting to evade common firewall programs.
Once injected into iexplore.exe, the trojan contacts startmenu.3322.org in order to receive commands. These commands may include downloading and executing arbitrary files.
Analysis by Matt McCormack
Prevention