Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
TrojanDownloader:Win32/Poison.A is a small trojan executable that downloads and executes a variant of Win32/Poison (aka "Poison Ivy"), a trojan that allows unauthorized access of an affected host computer.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
TrojanDownloader:Win32/Poison.A is a small trojan executable that downloads and executes a variant of Win32/Poison (aka "Poison Ivy"), a trojan that allows unauthorized access of an affected host computer.
Installation
TrojanDownloader:Win32/Poison.A may be installed by other malware. When run, the trojan executes its file downloading payload.
Payload
Downloads malware The trojan connects to a compromised website to retrieve non-executable data in the following example hexadecimal format:
The trojan injects the downloaded hex code into its own running process and copies itself to the Windows system folder as "misys.exe". The new file is a variant of Win32/Poison.
Additional information
For more information about Win32/Poison, see the description elsewhere in the encyclopedia.
The following system changes may indicate the presence of this malware:
The presence of the following files: <system folder>\misys.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.
