My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Poisonivy.CV

LOW
MEDIUM
~12k
(Backdoor:W32/PoisonIvy.JT)

Symptoms

- The presence of a file named systio.exe in %SYSDIR% and the following registry key:
HKLM\Software\Microsoft\ActiveSetup\Installed Components\{2E811653-4F55-1574-0104-010302040505}\StubPath
value -> %SYSDIR%\systio.exe...
- An instance of Firefox running in background even after Firefox is closed

Removal instructions:

Reboot your computer in Safe Mode, run regedit and find the registry subkey that contains the entry named StubPath (this must point to an executable file in %SYSDIR% - in this version of malware: systio.exe). Modify its value so that it won't point anymore to the infected file.
Remove the files named systio.exe and systio from %SYSDIR%

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

     When first run, this malware will make a copy of itself in %SYSDIR%, named systio.exe and then deletes the original file. It will also create a file named systio, where it will save information about user's activity. In order to bypass firewall or router protection, it injects its code in the memory space of explorer.exe and firefox.exe (sometimes in the memory space of lsass.exe) and then executes this code. In order to mark its presence in the system it creates a mutex named " )!VoqA.I4 ". It modifies the following registry key in order to run at every system startup:
HKLM\Software\Microsoft\ActiveSetup\Installed Components\{2E811653-4F55-1574-0104-010302040505}\StubPath
value -> %SYSDIR%\systio.exe...

     This malware gives access to monitoring user's activity on an infected computer.