Home / malwarePDF  

Trojan.Swizzor.2


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Swizzor.2 is also known as Swizzor, FatObfus, Lop, Obfuscated, C2Lop.

Explanation :

Trojan.Swizzor.2 is the name for a generic detection of an obfuscated downloader that usually comes bundled with other software (like 3wPlayer or such called BitTorrent optimization tools).

When such a tool is installed, it downloads a copy of Trojan.Swizzor.2 and saves it as:

%Temp%minime.exe

When this downloaded file is executed, it starts a new "iexplore.exe" process with a hidden window, it injects its code into the new started process and starts downloading other copies of Trojan.Swizzor.1 in the %Temp% folder and saves them to %AppData%[random-folder-name][random-file-name] or

%User-AppData%[random-folder-name][random-file-name].

It also creates a new registry subkey with a random name under HKCUSoftware[random-subkey-name].

Some of the downloaded files files may be added to the following registry subkeys in order to ensure the trojan is executed at every system start-up:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun"[random-value-name]"HKLMSoftwareMicrosoftWindowsCurrentVersionRun"[random-value-name]"
[random-folder-name], [random-file-name], [random-subkey-name] and [random-value-name] consists of a random English words of 3 or 4 letters such as:
bind army eggs joybyte save metabore user bikehtm trymodethisstopcakedumb
A new hidden Windows task with a random name (like: A3B0D938919B5400.job) may also be created to start one of the downloaded file every hour.

A few examples of the IP-s Trojan.Swizzor.2 may be downloaded from are:
64.34.228.[hide]205.234.175.[hide] (vip1.[hide].cachefly.net)
%Temp% refers to Temporary folder (in Windows XP, default is: C:Documents and Settings[User-Name]Local SettingsTemp").
%AppData% refers to All Users Application Data folder (in Windows XP, default is: C:Documents and SettingsAll UsersApplication Data").
%User-AppData% refers to User Application Data folder (in Windows XP, default is: C:Documents and Settings[User-Name]Application Data").

Last update 21 November 2011

 

TOP

Malware :