Symptoms

Removal instructions:

Analyzed By

Technical Description:

Trojan.Swizzor.2 is the name for a generic detection of an obfuscated downloader that usually comes bundled with other software (like 3wPlayer or such called BitTorrent optimization tools).

When such a tool is installed, it downloads a copy of Trojan.Swizzor.2 and saves it as:

%Temp%\minime.exe

When this downloaded file is executed, it starts a new "iexplore.exe" process with a hidden window, it injects its code into the new started process and starts downloading other copies of Trojan.Swizzor.1 in the %Temp% folder and saves them to %AppData%\[random-folder-name]\[random-file-name] or

%User-AppData%\[random-folder-name]\[random-file-name].

It also creates a new registry subkey with a random name under HKCU\Software\[random-subkey-name].

Some of the downloaded files files may be added to the following registry subkeys in order to ensure the trojan is executed at every system start-up:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"[random-value-name]"
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"[random-value-name]"

[random-folder-name], [random-file-name], [random-subkey-name] and [random-value-name] consists of a random English words of 3 or 4 letters such as:

• bind army eggs joy
• byte save meta
• bore user bike
• htm try
• modethis
• stopcakedumb

A new hidden Windows task with a random name (like: A3B0D938919B5400.job) may also be created to start one of the downloaded file every hour.

A few examples of the IP-s Trojan.Swizzor.2 may be downloaded from are:

• 64.34.228.[hide]
• 205.234.175.[hide] (vip1.[hide].cachefly.net)

%Temp% refers to Temporary folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Local Settings\Temp").
%AppData% refers to All Users Application Data folder (in Windows XP, default is: C:\Documents and Settings\All Users\Application Data").
%User-AppData% refers to User Application Data folder (in Windows XP, default is: C:\Documents and Settings\[User-Name]\Application Data").