Cart
Trojan.Swizzor.1( Swizzor, FatObfus, Lop, Obfuscated, C2Lop )
SYMPTOMS: Several "iexplore.exe" processes with a hidden window. Presence of specified names. Increased network activity. Computer slowdowns. IE popups. TECHNICAL DESCRIPTION: Trojan.Swizzor.1 is the name for a generic detection of an obfuscated downloader that usually comes bundled with other software (like 3wPlayer or such called BitTorrent optimization tools). When such a tool is installed, it downloads a copy of Trojan.Swizzor.1 and saves it as: %Temp%\minime.exe When this downloaded file is executed, it starts a new "iexplore.exe" process with a hidden window, it injects its code into the new started process and starts downloading other copies of Trojan.Swizzor.1 in the %Temp% folder and saves them to %AppData%\[random-folder-name]\[random-file-name] or %User-AppData%\[random-folder-name]\[random-file-name]. It also creates a new registry subkey with a random name under HKCU\Software\[random-subkey-name]. Some of the downloaded files files may be added to the following registry subkeys in order to ensure the trojan is executed at every system start-up:
[random-folder-name], [random-file-name], [random-subkey-name] and [random-value-name] consists of a random English words of 3 or 4 letters such as:
A new hidden Windows task with a random name (like: A3B0D938919B5400.job) may also be created to start one of the downloaded file every hour. A few examples of the IP-s Trojan.Swizzor.1 may be downloaded from are:
%Temp% refers to Temporary folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Local Settings\Temp"). %AppData% refers to All Users Application Data folder (in Windows XP, default is: C:\Documents and Settings\All Users\Application Data"). %User-AppData% refers to User Application Data folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Application Data"). Removal instructions: Kill the "iexplore.exe" processes with hidden window and delete the infected files.ANALYZED BY: Dan Anton, virus researcher |
