Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

When executed, the trojan copies itself into the following location:

%windir%\svchost.exe (49152 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

"explorer.exe" = "%windir%\svchost.exe"


The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FFE86B96-EBBB-D51C-84DA-8E09B35682EB}]
"StubPath" = "%windir%\svchost.exe"


The trojan creates and runs a new thread with its own program code within the following processes:

explorer.exe (Win32/Poison.NAE)

Other information

The Win32/Poison.NAE serves as a backdoor. It can be controlled remotely. The backdoor is able to update itself or execute arbitrary file.

The backdoor connects to the following addresses: (TCP port 3600)