Trojan.Dropper.Agent.TUP
VERY LOW
MEDIUM
8192
(Backdoor.Win32.Poison.czd, Backdoor:Win32/poisonivy.E)
Symptoms
Not applicable.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Suiu Andrei, virus researcher
Technical Description:
Files detected with this name are programs that had been packed/protected with a protection system (packer/protector), designed by malware authors to bypass anti-virus protection and to hide malware contents.
Characteristics:
It can be recognized by the presence of one sections with .text name and with imports at the start of the section.
The required imports used by the packer are resolved in a nonstandard way via searching for the kernel32 module in memory and searching for exports names via a precomputed hash.
The packer's code is position independent (relocatable) and (usually) crypted.
Methods used to avoid detection:
It has polymorphic code.
It's code is morphed by inserting garbage instructions, very long (and useless) loops (making it very slow), and/or by constructing the required data in multiple steps via add/sub/xor operations, also inserting garbage calls to null functions
The polymorphic code has been changed very frequently in order to avoid detection of the packed/protected file(s) by the anti-virus products.
SHARE
THIS ON