Skip to main content

Choose your country

Backdoor:W32/PoisonIvy

Classification

Category:

Malware

Platform:

W32

Type:

Backdoor

Aliases:

  • Backdoor.Win32.PoisonIvy
  • Gen:Trojan.Heur.PT

Summary

A remote administration tool (RAT) that bypasses the security features of a program, computer or network to give unauthorized access or control to its user.

Removal

Technical Details

Poison Ivy variants are backdoors that are created and controlled by a Poison Ivy management program or kit.
The Poison Ivy kit has a graphical user interface and is actively developed. The servers (the actual backdoors) are very small and are typically under 10kB in size. The size can however be considerably different if a packer or protector has been used to obfuscate the file.

Installation

Once executed, the backdoor copies itself to either the Windows folder or the Windows\system32 folder. The filename and locations are defined by the creator of the backdoor when using the Poison Ivy kit to create the server program.Some variants of Poison Ivy are capable of copying themselves into an Alternate Data Stream.
A registry entry will be added to ensure the backdoor is started every time the computer is booted up. The server then connects to a client using an address defined when the server-part was created. The communication between the server and client programs is encrypted and compressed. Below is the screenshot of the client application:
Poison Ivy can be configured to inject itself into a browser process before making an outgoing connection to help in bypassing firewalls.

Activity

Backdoor:W32/PoisonIvy gives the attacker practically complete control over the infected computer. Exact functionality depends on the variant in question but the following are the most common operations available to the attacker. Operations:
  • Files can be renamed, deleted, or executed. Files can also be uploaded and downloaded to and from the system
  • The Windows registry can be viewed and edited
  • Currently running processes can be viewed and suspended or killed
  • Current network connections can be viewed and shut down
  • Services can be viewed and controlled (for example stopped or started)
  • Installed devices can be viewed and some devices can be disabled
  • The list of installed applications can be viewed and entries can be deleted or programs uninstalled
Other functionality includes viewing a list of open windows or starting a remote command shell on the infected computer. Poison Ivy variants can also steal information by taking screenshots of the desktop and recording audio or webcam footage. They can also access saved passwords and password hashes.
Some variants also have a keylogger. Additional features not provided by the Poison Ivy configuration kit can be added by third party plugins.

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award‑winning antivirus and malware protection
  • Online browsing, banking, and shopping protection
  • 24/7 online identity and data breach monitoring
  • Unlimited VPN service to safe­guard your privacy
  • Password manager with private data protection

Choose how many devices you want to protect to get started.

  • Free customer support
  • Cancel anytime
  • The trial does not obligate you to buy the product
Try Total 30 days for free

After 30 days your subscription will renew automatically for one year at €69.99.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.