BitDefender Antivirus
Contact Us | My BitDefender

Trojan.Downloader.Swizzor.EM

( Trojan.LopAd, Win32/Lop.BI, Adware.Win32.Lop.Ai )
Spreading: medium
Damage: medium
Size: 14663 bytes packed
Discovered: 2006 Apr 21

SYMPTOMS:

It is possible to have multiple instances of Internet Explorer in memory.

It is also possible to have strangly named directories under %AppData% (\Documents and Settings\%UserName%\Application Data) containing many downloaded malware files with .exe extension. Another symptom is to have malware files under %TMP% with names
bis[randomnumber].exe (like c:\temp\bis14.exe).

TECHNICAL DESCRIPTION:

The trojan determines the path of Internet Explorer using the system registry. After that, the trojan checks, if it is running already in the process context of Internet Explorer. If not, then a new instance of Internet Explorer is created and the virus loads and executes itself under the Internet Explorer process as a library.

The trojan dowloads other malware from randomly constructed URLs with the form http://[random]/bins/int/[removed]. The files are downloaded into the %TMP% folder with .TMP extension, but are later moved to %AppData% directory with random names based on a dictionary (like %AppData%\PollFindSite\SupportBike.exe) and executed.
If the injection of code into Internet Explorer fails, then the virus checks for command line arguments, like:
  • If the command line arguments does not include a predefined signature (like 923ccb1f) then a message box with title "Bad Elmo" and text "You must install this software as part of the parent program. Press OK to exit." appears, then the trojan exits.
  • If the command line argument "-newkEm" is present, then it searches for a special window (with class "wwBYAwnd" and name "windWWAA") and sends a 0x533 Windows message to it (with this may trigger the execution of other malware). The trojan also registers a new window message with the typical name 'ZegkScArbUni'. The torjan tries to execute malware from the %AppData% with names based on a crypted dictionary (like %AppData%\PollFindSite\SupportBike.exe). After this the trojan exits.
  • If the command line argument "SwIcertifiEd 1" is set, then the trojan downloads and executes other malware under %TMP%, named bis[randomnumber].exe with parameters like "-Curl 923ccb1f -MpXNP_0001".
The virus contains many encrypted strings, specific to Swizzor variants. The intensive use of command line arguments has the role to prevent / disturb heuristical detection.

Removal instructions:

Please let BitDefender delete your files.

ANALYZED BY:

Sándor LUKÁCS, BitDefender virus researcher
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Global Sites | Privacy Policy