Poison Ivy 2.2.0
(Backdoor.Win32.Poison.oo for Server)

by shapeless

Written in Delphi

Released in February 2007

more versions


Poison Ivy is an advanced, reverse connection, firewall-bypassing remote administration tool.
All communications are encrypted with Camellia, with a 256 bit key, and the authentication is based on a challengeresponse
For this reason, you should type a long password (it will be padded to 256 bits, or 32 characters) to ensure maximum
The project is written in masm32(server), and Delphi7(client).
Because of the special way it works, a server update is hardly needed, regardless of how many features/changes are made.
The server is only 10 KiB long (unpacked, can reach 5.3 KiB when packed with FSG for example), is completely standalone,
is independent of any runtimes, etc, and will run on all NT based Windows operating systems (even on restricted
accounts), 32bit and 64bit; as of v2.2.0, it also runs on Vista; it doesn't drop any files, except the key logger log file (if the
feature is enabled).

firewall bypassing, reverse connection, 256 bit Camellia encrypted communications, transparent compression of transfers
and communications, full-featured file, registry, services and process manager, relay servers, view installed applications
(some support remote silent uninstallation), key logger, relay servers (socks 4 and 5, port redirect), traffic sniffer, remote
screen capture and web cam viewing, password manager (IE cached passwords, MSN passwords, Firefox cached
passwords, wireless zero configuration passwords, LM/NTLM hashes), sound capture, runs on restricted accounts, very
small independent server.

Changes from 2.1.2 to 2.2.0 (list is chronological):
* means Bugfix
+ means feature added
+ Client now remembers the column sizes (only in the main window).
+ position button in the DNS/Port-editor and Replace, Rename, Resume file transfers.
* You can now resume unfinished downloads/uploads without any fuss.
+ "Last seen" in the ping column if you select to preserve dead connections.
+ Reset Stats.
+ "Connection attempts" added to client stats.
* Fixed "Goto site" in cache passwords.
* Key log file is now always deleted when you uninstall.
* Fixed Vista compatibility.
+ New "fast button": Monitor CPU/memory status.
+ "Workgroup" added in Information.
+ Copy WAN IP in the connection list.
+ "Hide password" check box next to passwords.
+ Made the Secure Delete much better (now overwrites with random data).
* The server now removes all active-x entries that have the same file path as it self (this should solve all startup problems).
* Fixed the known bug that occurred when you showed the 'data transfers' for the first time while transferring something.
+ Changed so that it only requires one click on the tray icon to show/hide the main window.
* Fixed the "JPEG bug #53" when viewing thumbnails.
* When the client reaches the connection limit it will not prune all connections when it pings.
+ Cammelia encryption
+ New authentification method
* A small bug that occured when you captured screen/webcam and changed autosave-name (the saved files didn't have a
* A Socks5 crash bug that occurred when you used "Resolve names remotely" in the connecting client.
* A bug that occurred when you choose "No" on "uninstall applications".
+ Multiple relays now possible
* When a server that has been injected into a custom process gets restarted it will kill its relay servers (making the ports
available again).
* A rare crash-bug when refreshing wireless passwords (only occurred for some).
* Some minor things in the Audio capture.
+ Audio capture added
* Small improvements to the webcam code
* Double click on keys in regedit search doesn't crash the server anymore.
* Uninstall removes restricted autostart entries.


size: 10,240 bytes

added to registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2B81DA45-7941-1AAB-0607-050404050708} "StubPath"

tested on Windows XP
February 11, 2007