Backdoor:W32/PoisonIvy

Threat description

Details

CATEGORYMalware
TYPEBackdoor

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Security programs will sometimes unintentionally identify a clean program or file as malicious if its code or behavior is similar to a known harmful program or file. This is known as a False Alarm or False Positive (FP).

For example, 'tmp.edb' and other '.edb' files stored at the location 'C:\WINDOWS\SoftwareDistribution\DataStore\Logs\' may be unintentionally detected as malicious by various security programs.

Checking for a fix

In most cases, a False Positive is fixed in a subsequent database release; updating your F-Secure security product to use the latest database is enough to resolve the issue. If you suspect a detected file may be a False Positive, you can check by first updating your F-Secure security product to use the latest detection database updates, then rescanning the suspect file.

Send a sample to F-Secure Labs

After checking, if you believe the file or program is still incorrectly detected, you can submit a sample of it to F-Secure Labs for analysis and correction:

Exclude a known safe file from further scanning

If you are positive that the suspect file is safe and you want to continue using it, you can exclude it from further scanning by the F-Secure security product:

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.

Also

Microsoft provides enterprise-level instructions for excluding files from scanning by antivirus software:

Technical Details

Poison Ivy Remote Administration Tool (RAT) variants are created and controlled by a Poison Ivy management program or kit.The Poison Ivy kit has a graphical user interface and is actively developed. The servers (the actual backdoors) are very small and are typically under 10kB in size. The size can however be considerably different if a packer or protector has been used to obfuscate the file.

Installation

Once executed, the backdoor copies itself to either the Windows folder or the Windows\system32 folder. The filename and locations are defined by the creator of the backdoor when using the Poison Ivy kit to create the server program.Some variants of Poison Ivy are capable of copying themselves into an Alternate Data Stream.

A registry entry will be added to ensure the backdoor is started every time the computer is booted up. The server then connects to a client using an address defined when the server-part was created. The communication between the server and client programs is encrypted and compressed. Below is the screenshot of the client application:

Poison Ivy can be configured to inject itself into a browser process before making an outgoing connection to help in bypassing firewalls.

Activity

Backdoor:W32/PoisonIvy gives the attacker practically complete control over the infected computer. Exact functionality depends on the variant in question but the following are the most common operations available to the attacker. Operations:

  • Files can be renamed, deleted, or executed. Files can also be uploaded and downloaded to and from the system
  • The Windows registry can be viewed and edited
  • Currently running processes can be viewed and suspended or killed
  • Current network connections can be viewed and shut down
  • Services can be viewed and controlled (for example stopped or started)
  • Installed devices can be viewed and some devices can be disabled
  • The list of installed applications can be viewed and entries can be deleted or programs uninstalled

Other functionality includes viewing a list of open windows or starting a remote command shell on the infected computer. Poison Ivy variants can also steal information by taking screenshots of the desktop and recording audio or webcam footage. They can also access saved passwords and password hashes.

Some variants also have a keylogger. Additional features not provided by the Poison Ivy configuration kit can be added by third party plugins.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info