HPsus/Poison-A

Category:	Suspicious Behavior and Files	Protection available since:	08 Nov 2011 15:07:25 (GMT)
Type:	Suspicious file	Last Updated:	08 Nov 2011 15:07:25 (GMT)

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

HPsus/Poison-A is run-time detection of the Poison Ivy Remote Administration Trojan

Examples of HPsus/Poison-A include:

Example 1

File Information

Size: 152K
SHA-1: 5dc751444c1fe96055047fd867eed7b3608847b7
MD5: 76000c77ea9a214f5b2ae8cc387809db
CRC-32: 93bf51bc
File type: Windows executable
First seen: 2011-05-21

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Temp\love.exe
Size
109K
SHA-1
3bb82621471033010e9074bd07ecd67040cf57a0
MD5
fa9d2f203635a25c82423d26a6bf0749
CRC-32
59ed0621
File type
Windows executable
First seen
2011-05-21
c:\Documents and Settings\test user\Local Settings\Temp\dick.txt
Size
7.3K
SHA-1
b11580777ce9c6fe36c77714dd8cf5fd01d1c149
MD5
a7b18cb7ce6b88541d516dd363c3bd33
CRC-32
2d4f64b5
File type
Unspecified binary - probably data
First seen
2011-05-18

Example 2

File Information

Size: 139K
SHA-1: 66401cb0dfdcb9b26de9bf086bc855fe4e0ec7f3
MD5: 5d075e9536c5494745135c1176981c96
CRC-32: fcdb7c43
File type: Windows executable
First seen: 2011-06-10

Other vendor detection

Kaspersky: Trojan.Win32.Agent2.dokd

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Temp\Kool.txt
Size
7.3K
SHA-1
d5ecc3ba367d0cb7958d2e94db60fed8df5cf6f2
MD5
85836c667877f85a6171553dc23be408
CRC-32
6987efdb
File type
Unspecified binary - probably data
First seen
2011-05-30
C:\Program Files\Common Files\ODBC.dat
Size
7.3K
SHA-1
d5ecc3ba367d0cb7958d2e94db60fed8df5cf6f2
MD5
85836c667877f85a6171553dc23be408
CRC-32
6987efdb
File type
Unspecified binary - probably data
First seen
2011-05-30
c:\Documents and Settings\test user\Local Settings\Temp\t1.exe
Size
76K
SHA-1
4ebc449441e5b51a76c4dc43bb7cdeaa58370762
MD5
4e001249715db5943def9d4d1a9a8006
CRC-32
95724b6c
File type
Windows executable
First seen
2011-06-10
C:\WINDOWS\system32_ADS_AlternateDataStream_Found_adobe.exe
Size
77K
SHA-1
f67682eca91515c6fab69af80be98a90fc361304
MD5
f185d83442743101e138003d25c99c69
CRC-32
a7efad3b
File type
MS-DOS executable
First seen
2011-06-10
C:\WINDOWS\java\classes\JDE.cer
Size
7.3K
SHA-1
d5ecc3ba367d0cb7958d2e94db60fed8df5cf6f2
MD5
85836c667877f85a6171553dc23be408
CRC-32
6987efdb
File type
Unspecified binary - probably data
First seen
2011-05-30

Modified Files

%SYSTEM%
- Set the archive flag

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{AD2B5BBB-7B05-98C5-DAC8-19AC466D0C3C}
StubPath
C:□□W□□N□@O□pS□□s□□s□@e□□3□ :□□d□□b□P.□Px□P□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
HKCU\Software\WinRAR SFX
C%%DOCUME~1%support%LOCALS~1%Temp
C:\DOCUME~1\support\LOCALS~1\Temp

Processes Created

c:\docume~1\support\locals~1\temp\t1.exe

HTTP Requests

http://-+e\xa5\x87#\x85\xb8t\x0c
http://-\x94\xbee\xb7\xdc\xa5\x8aK\x8e\xe4\xff\xa7\v;\xb0\xee\x8a\xe1\x89\x1b!\xd3\xb3\x14\xa3\xcf/\x86)Y\x07DJ\xdaT\x04

IP Connections

204.74.215.58:80

Example 3

File Information

Size: 150K
SHA-1: e67d5866635878953cc93e210a3af2905ad452df
MD5: a98d2c90b9494fc885c7cd35d43666ea
CRC-32: 16d086f3
File type: Windows executable
First seen: 2011-05-09

Runtime Analysis

Dropped Files

c:\Documents and Settings\test user\Local Settings\Temp\loo.txt
Size
7.3K
SHA-1
b11580777ce9c6fe36c77714dd8cf5fd01d1c149
MD5
a7b18cb7ce6b88541d516dd363c3bd33
CRC-32
2d4f64b5
File type
Unspecified binary - probably data
First seen
2011-05-18
c:\Documents and Settings\test user\Local Settings\Temp\winword.doc
c:\Documents and Settings\test user\Local Settings\Temp\ie.exe
Size
62K
SHA-1
87f1c9c768f4befa440a64f428c9bfe6e6615ec8
MD5
abe980ea68db4742da7672c9934f0c99
CRC-32
5bd727ea
File type
Windows executable
First seen
2011-05-11

Registry Keys Created

HKCU\Software\WinRAR SFX
C%%DOCUME~1%support%LOCALS~1%Temp
C:\DOCUME~1\support\LOCALS~1\Temp

Processes Created

c:\program files\windows nt\accessories\wordpad.exe

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

HPsus/Poison-A

Example 1

File Information

Runtime Analysis

Dropped Files

Example 2

File Information

Other vendor detection

Runtime Analysis

Dropped Files

Modified Files

Registry Keys Created

Processes Created

HTTP Requests

IP Connections

Example 3

File Information

Runtime Analysis

Dropped Files

Registry Keys Created

Processes Created

Free Mac Anti-Virus

Popular topics