My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Swizzor.1

HIGH
MEDIUM
200 kB - 600 kB
(Swizzor, FatObfus, Lop, Obfuscated, C2Lop)

Symptoms


Several "iexplore.exe" processes with a hidden window.
Presence of specified names.
Increased network activity.
Computer slowdowns.
IE popups.


Removal instructions:

Kill the "iexplore.exe" processes with hidden window and delete the infected files.

Analyzed By

Dan Anton, virus researcher

Technical Description:


Trojan.Swizzor.1
is the name for a generic detection of an obfuscated downloader that usually comes bundled with other software (like 3wPlayer or such called BitTorrent optimization tools).

When such a tool is installed, it downloads a copy of Trojan.Swizzor.1 and saves it as:

%Temp%\minime.exe

When this downloaded file is executed, it starts a new "iexplore.exe" process with a hidden window, it injects its code into the new started process and starts downloading other copies of Trojan.Swizzor.1 in the %Temp% folder and saves them to %AppData%\[random-folder-name]\[random-file-name] or

%User-AppData%\[random-folder-name]\[random-file-name].

It also creates a new registry subkey with a random name under HKCU\Software\[random-subkey-name].

Some of the downloaded files files may be added to the following registry subkeys in order to ensure the trojan is executed at every system start-up:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"[random-value-name]"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"[random-value-name]"

[random-folder-name]
, [random-file-name], [random-subkey-name] and [random-value-name] consists of a random English words of 3 or 4 letters such as:
  • bind army eggs joy
  • byte save meta
  • bore user bike
  • htm try
  • modethis
  • stopcakedumb

A new hidden Windows task with a random name (like: A3B0D938919B5400.job) may also be created to start one of the downloaded file every hour.

A few examples of the IP-s Trojan.Swizzor.1 may be downloaded from are:
  • 64.34.228.[hide]
  • 205.234.175.[hide] (vip1.[hide].cachefly.net)

%Temp%
refers to Temporary folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Local Settings\Temp").
%AppData% refers to All Users Application Data folder (in Windows XP, default is: C:\Documents and Settings\All Users\Application Data").
%User-AppData% refers to User Application Data folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Application Data").