Several "iexplore.exe" processes with a hidden window.
Presence of specified names.
Increased network activity.
Kill the "iexplore.exe" processes with hidden window and delete the infected files.
Dan Anton, virus researcher
is the name for a generic detection of an obfuscated downloader that usually comes bundled with other software (like 3wPlayer or such called BitTorrent optimization tools).
When such a tool is installed, it downloads a copy of Trojan.Swizzor.1
and saves it as:%Temp%\minime.exe
When this downloaded file is executed, it starts a new "iexplore.exe
" process with a hidden window, it injects its code into the new started process and starts downloading other copies of Trojan.Swizzor.1
in the %Temp%
folder and saves them to %AppData%\[random-folder-name]\[random-file-name]
It also creates a new registry subkey with a random name under HKCU\Software\[random-subkey-name]
Some of the downloaded files files may be added to the following registry subkeys in order to ensure the trojan is executed at every system start-up:
consists of a random English words of 3 or 4 letters such as:
- bind army eggs joy
- byte save meta
- bore user bike
- htm try
A new hidden Windows task with a random name (like: A3B0D938919B5400.job
) may also be created to start one of the downloaded file every hour.
A few examples of the IP-s Trojan.Swizzor.1
may be downloaded from are:
- 205.234.175.[hide] (vip1.[hide].cachefly.net)
refers to Temporary folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Local Settings\Temp").%AppData%
refers to All Users Application Data folder (in Windows XP, default is: C:\Documents and Settings\All Users\Application Data").%User-AppData%
refers to User Application Data folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Application Data").