Threat behavior
Win32/Poison is a family of backdoor trojans that allows unauthorized access and control of an affected PC. It attempts to hide by injecting itself into other processes.
Installation
When executed, this trojan injects its malicious code into one of the following Windows processes:
-
iexplore.exe
-
explorer.exe
-
lsass.exe
The malware may create a copy of itself in the Windows folder, for example:
-
%windir%\poisen.exe
-
%windir%\wlswitcher.exe
It may then delete its originally running copy.
The registry is modified to run the trojan copy at each Windows start, for example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<path and file name of
Win32/Poison malware>"
Payload
Allows backdoor access and control
This malware communicates with a remote server to receive commands. It may inject itself into other running processes in an attempt to evade common firewall programs. For example, some variants of Win32/Poison start 'iexplore.exe' and inject into it. Once injected into iexplore.exe, Win32/Poison contacts a pre-defined remote server to receive commands using a specific TCP port. The actions it may be ordered to perform include the following:
- Downloading or uploading of files
- Keylogging
-
Stealing WiFi keys
-
Stealing NT/NTLM (Windows login) passwords
- Injecting into processes
- Capturing screen images and/or audio
- Redirecting proxies
- Scanning ports
Analysis by Vincent Tiu
Prevention
