Home / malware Trojan.Swizzor.1
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Swizzor.1 is also known as Swizzor, FatObfus, Lop, Obfuscated, C2Lop.
Explanation :
Trojan.Swizzor.1 is the name for a generic detection of an obfuscated downloader that usually comes bundled with other software (like 3wPlayer or such called BitTorrent optimization tools).
When such a tool is installed, it downloads a copy of Trojan.Swizzor.1 and saves it as:
%Temp%minime.exe
When this downloaded file is executed, it starts a new "iexplore.exe" process with a hidden window, it injects its code into the new started process and starts downloading other copies of Trojan.Swizzor.1 in the %Temp% folder and saves them to %AppData%[random-folder-name][random-file-name] or
%User-AppData%[random-folder-name][random-file-name].
It also creates a new registry subkey with a random name under HKCUSoftware[random-subkey-name].
Some of the downloaded files files may be added to the following registry subkeys in order to ensure the trojan is executed at every system start-up:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun"[random-value-name]"HKLMSoftwareMicrosoftWindowsCurrentVersionRun"[random-value-name]"
[random-folder-name], [random-file-name], [random-subkey-name] and [random-value-name] consists of a random English words of 3 or 4 letters such as:
bind army eggs joybyte save metabore user bikehtm trymodethisstopcakedumb
A new hidden Windows task with a random name (like: A3B0D938919B5400.job) may also be created to start one of the downloaded file every hour.
A few examples of the IP-s Trojan.Swizzor.1 may be downloaded from are:
64.34.228.[hide]205.234.175.[hide] (vip1.[hide].cachefly.net)
%Temp% refers to Temporary folder (in Windows XP, default is: C:Documents and Settings[User-Name]Local SettingsTemp").
%AppData% refers to All Users Application Data folder (in Windows XP, default is: C:Documents and SettingsAll UsersApplication Data").
%User-AppData% refers to User Application Data folder (in Windows XP, default is: C:Documents and Settings[User-Name]Application Data").Last update 21 November 2011