Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan copies itself into the following location:

%windir%\svchost.exe (49152 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"explorer.exe" = "%windir%\svchost.exe"

 

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FFE86B96-EBBB-D51C-84DA-8E09B35682EB}]
"StubPath" = "%windir%\svchost.exe"

 

The trojan creates and runs a new thread with its own program code within the following processes:

explorer.exe (Win32/Poison.NAE)


Other information

The Win32/Poison.NAE serves as a backdoor. It can be controlled remotely. The backdoor is able to update itself or execute arbitrary file.

The backdoor connects to the following addresses:

iv3fjf.ath.cx (TCP port 3600)