Win32/Poison [Threat Name] go to Threat

Win32/Poison.NGT [Threat Variant Name]

Category trojan
Size 150937 B
Detection created Oct 27, 2011
Detection database version 6580
Aliases Backdoor.Trojan (Symantec)
  Troj/FakeAV-EQF (Sophos)
  Trojan-Downloader:W32/Injector.N (F-Secure)
Short description

Win32/Poison.NGT is a trojan which tries to download other malware from the Internet. The file is run-time compressed using RAR SFX .

Installation

When executed, the trojan creates the following files:

  • %temp%\­query.exe
  • %temp%\­query.txt
  • C:\­Program Files\­NetMeeting\­netsa.dll
  • C:\­Windows\­java\­java.dll

The trojan may create the following files:

  • %appdata%\­msvcr71.exe
  • %system%:msvcr71.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{647AA609-B451-CBE5-1283-5F68699030BC}" = "%appdata%\­msvcr71.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­{647AA609-B451-CBE5-1283-5F68699030BC}]
    • "StubPath" = "%system%:msvcr71.exe"

This way the trojan ensures that the file is executed on every system start.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • %defaultwebbrowser%
Other information

The trojan contains an URL address. It tries to download a file from the address.


The file is executed as a thread in the folowing process:

  • %defaultwebbrowser%

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­{647AA609-B451-CBE5-1283-5F68699030BC}]

The trojan may delete the following files:

  • %temp%\­query.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.