Win32/Poison [Threat Name]

Detection created2007-06-27
World activity peak 2009-01-14 (0.62 %)
Short description

Win32/Poison is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself in some of the the following locations:

  • %system%\­%variable1%.exe
  • %appdata%\­%variable1%.exe

The trojan can create copies of itself as an ADS (Alternative Data Stream) of the following files:

  • %system%
  • %appdata%

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­{%variable2%}]
    • "StubPath" = "%copiedmalwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "pvp" = "%copiedmalwarefilepath%"

This way the trojan ensures that the file is executed on every system start.

A string with variable content is used instead of %variable1-2% .

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­{%variable2%}]

The trojan can create and run a new thread with its own program code within the following processes:

  • %originalmalwarefilename%
  • explorer.exe
  • %defaultbrowser%
Other information

The trojan contains a URL address.

It tries to download the other part of the infiltration from the address.

The file is executed as a thread in the folowing process:

  • %copiedfilepath%
  • explorer.exe
  • %defaultbrowser%

The HTTP protocol is used.

The trojan is able to log keystrokes.

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Poison.NGT 2011-10-27 trojan
Win32/Poison.NAE 2008-01-17 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.