Trojan.Lopad.K

( Swizzor )

SYMPTOMS:

Multiple instances of "Internet Explorer" browser in memory.

TECHNICAL DESCRIPTION:

The exact path to "Internet Explorer" browser is retrieved from registry. A check is made to see if the virus code is executing from within iexplorer's address space. If it is not then a new instance of iexplore.exe is infected with the viral code and executed. The code injected into iexplorer does the following: If the command line arguments does not include the string "923CCB1F" then a message box with title "Bad Elmo" and text "

You must install this software as part of the parent program. Press OK to exit." appears before exiting. If the command line argument "-newkEm" is present then it searches for a window of class "wwBYAwnd" and name "windWWAA" and sends it a message with id 0x533 then exits. If the window cannot be found the a file named "cdromruleclose.exe" is looked for in "%app_data%/play view/"and executed if it is found.

The virus then exits, but not before retrying to send the previous message, to the same window. If the command line argument "SWIcertifiedEd 1" is present then the file "%temp_dir%\bis.tmp" is looked for and removed.
Next a random URL is constructed, with the form "http://c2839.bins.lop.com/", from where a variant of Swizzor virus is downloaded as "%temp_dir%\bis.tmp" and executed.The virus the exits. The virus uses encrypted strings to make the analysis difficult. The use of command line arguments is meant to prevent heuristical detection.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Marian RADU ,virus researcher