Subscribe
The backdoor itself is the encrypted server component of Poison Ivy, a common remote administration utility.
The backdoor will provide a remote malicious user with full access to the victim machine and the ability to execute a range of commands, including gaining full control over the system, harvesting system information, downloading and launching files, creating and moving directories, modifying system registry keys, terminating active processes, creating screenshots of the desktop and sending them to the remote malicious user, shutting down the victim machine etc.
- Delete the backdoor file:
%Windir%\wab32.exe
- Delete the following registry key:
[HKLM\Software\Microsoft\Active Setup\Installed Components\{254F4E25-A65F-2764-0003-070806050704}] "StubPath" = "%Windir%\wab32.exe" - Update your antivirus databases and perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus).
This Trojan program provides a remote malicious user with full access to the victim machine. The Trojan itself is a Windows PE EXE file, 9216 bytes in size.
This program is dropped to the victim machine by Trojan-Dropper.Ichitaro.Tarodrop.a, which penetrates the victim machine via a vulnerability in Ichitaro Office Suite.
InstallationOnce launched, the backdoor copies itself to the Windows root directory as "wab32.exe". It then launches this copy for execution:
%Windir%\wab32.exe
The original executable file will then be deleted.
The Trojan also creates the following registry key:
[HKLM\Software\Microsoft\Active Setup\Installed Components\{254F4E25-A65F-2764-0003-070806050704}]
"StubPath" = "%Windir%\wab32.exe"
The Trojan creates a unique idenitifier, ")!VoqA.I4", to flag its presence in the system.
Payload
Hot Articles