14658 bytes packed
(Trojan.LopAd, W32/Swizzor.LN@dl, Win32/TrojanDownloader.Swizzor
It is possible to have multiple instances of Internet Explorer in memory.
It is also possible to have strangly named directories under %AppData% (\Documents and Settings\%UserName%\Application Data) containing many downloaded malware files with .exe extension. Another symptom is to have malware files under %TMP% with names
bis[randomnumber].exe (like c:\temp\bis12.exe).
Please let BitDefender delete your files.
SАndor LUKаCS, BitDefender virus researcher
The trojan determines the path of Internet Explorer using the system registry. After that, the trojan checks, if it is running already in the process context of Internet Explorer. If not, then a new instance of Internet Explorer is created and the virus loads and executes itself under the Internet Explorer process as a library.
The trojan dowloads other malware from randomly constructed URLs with the form http://[random]/bins/int/[removed]. The files are downloaded into the %TMP% folder with .TMP extension, but are later moved to %AppData% directory with random names based on a dictionary (like %AppData%\PollFindSite\SupportBike.exe) and executed.
If the injection of code into Internet Explorer fails, then the virus checks for command line arguments, like:
The virus contains many encrypted strings, specific to Swizzor variants. The intensive use of command line arguments has the role to prevent / disturb heuristical detection.
- If the command line arguments does not include a predefined signature (like 7b7b123) then a message box with title "Bad Elmo" and text "You must install this software as part of the parent program. Press OK to exit." appears, then the trojan exits.
- If the command line argument "-newkEm" is present, then it searches for a special window (with class "wwBYAwnd" and name "windWWAA") and sends a 0x533 Windows message to it (with this may trigger the execution of other malware). The torjan tries to execute malware from the %AppData% with names based on a crypted dictionary (like %AppData%\PollFindSite\SupportBike.exe). After this the trojan exits.
- If the command line argument "SwIcertifiEd 1" is set, then the trojan downloads and executes other malware under %TMP%, named bis[randomnumber].exe with parameters like "-Curl 7b7b123 -MpXNP_0001".