This malware is related to the campaign that targeted TV and government-related websites in Hong Kong and Taiwan. In the said campaign, attackers used Flash exploits that emerged from the Hacking Team leak to deliver this PoisonIvy variant.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor may be downloaded by other malware/grayware from remote sites.
It executes commands from a remote malicious user, effectively compromising the affected system.
This backdoor may be downloaded by the following malware/grayware from remote sites:
This backdoor executes the following commands from a remote malicious user:
It connects to the following URL(s) to send and receive commands from a remote malicious user:
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Remove the malware/grayware file that dropped/downloaded BKDR_POISON.TUFW. (Note: Please skip this step if the threat(s) listed below have already been removed.)
Identify and terminate files detected as BKDR_POISON.TUFW
Scan your computer with your Trend Micro product to delete files detected as BKDR_POISON.TUFW. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.