My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Swizzor.4

LOW
LOW
Variable
(Trojan:Win32/C2Lop.A (OneCare) Trojan.Swizzor.Based (DrWeb) TR/Dldr.Swizzor.Gen (Avira))

Symptoms

- high CPU usage

- low interned bandwidth

- various new shortcuts may appear on desktop (see technical description)

- Internet Explorer running in background

Removal instructions:

Automatic: Please let BitDefender disinfect your files.

Manual: Kill the iexplore.exe processes with hidden window and delete all infected files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This detection name stands for an entire family of trojans that share the same behaviour. When executed, the trojan will first run iexplore.exe (Internet Explorer), hide its window, inject its entire code and data into its memory space, and then create two remote threads running inside Internet Explorer. The injected code will then add the following registry key:
HKEY_CURRENT_USER\Tons Pop FindPile\sixth delete, having a value that appears to be a randomly generated sequence of printable or unprintable characters, used later when sending requests to download more trojans. While memory resident, it may download and execute more swizzors inside temp folder, and display adds from various web-sites (since the detection
covers many variants, the source of the downloaded trojans may vary; however, the main web-site seems to be hxxp://host-[remove].com) . It can also create desktop shortcuts, having addware-specific names, example: games.ink, poker.ink, internet.ink, travel.ink, etc, that contain links to various web-sites, links that it might add to the browsers bookmarks also.

At some point, the following message may be displayed:
"CiD: An important update is available to your CiD sponsor software and must
be run as administrator. Please press 'YES' to proceed. If you press 'NO'
you will be reminded again in a few hours. If instead you prefer to remove
the sponsor software, download and run this universal uninstaller:
http://cid[removed].com/uninstall.exe
"

Following the link will just download more swizzors on the affected computer.