[markusg]

http://www.virustotal.com/file-scan/rep ... 1291409820

[EP_X0FF]

Thank you for sample. This is variant of Backdoor:Win32/Poisonivy.E

Copies itself to %systemroot%\system32\taskeng.exe

Runs every Windows boot through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components under {3C65BAA2-8F50-716F-4A7F-B87ADCC65E0E} key. Upon deletion rewrites them back.

When started - executes Internet Explorer and injects to it payload code. Payload contains link to hmm.no-ip.info and protects taskeng.exe from being deleted (keeps opened handle of file).

Contains blacklist with antivirus executables.

avguard.exe
sched.exe
avgnt.exe
avcenter.exe
avconfig.exe

Topic title changed for actual malware name.

[Brookit]

This is discontinued Poison Ivy RAT inside a Visual Basic Dropper/Crypter, nothing special.

w*w.poisonivy-rat.com

[Cyberpunk]

The Poisonivy server is coded in assembly and the client in Delphi /...

[markusg]

stub.exe
https://www.virustotal.com/file-scan/re ... 1304850984

[EP_X0FF]

stub.exe
https://www.virustotal.com/file-scan/re ... 1304850984

Unpacked VT result

http://www.virustotal.com/file-scan/rep ... 1305048160

[wayzoken]

poison ivy the new 2011 version works in Win 7 64 bit 32 Bit Patch HKLMHKCU startup
Borland Delphi written.
weighs only 12kb

http://www.virustotal.com/file-scan/rep ... 1318704502

[R136a1]

Hi there,

if you read the following blog post, you will see a tricky little downloader (even though is written in VB). ;)

https://blogs.technet.com/b/mmpc/archiv ... ected=true

The Poison Ivy shellcode mentioned in the article is here:
http://tasteoftibet.net/1207.html

anybody has a sample of the aforementioned Downloader?
SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182

[swirl]

here it is

[R136a1]

Thanks!