Home / malware Trojan.Swizzor.4
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Swizzor.4 is also known as Trojan:Win32/C2Lop.A, (OneCare.
Explanation :
This detection name stands for an entire family of trojans that share the same behaviour. When executed, the trojan will first run iexplore.exe (Internet Explorer), hide its window, inject its entire code and data into its memory space, and then create two remote threads running inside Internet Explorer. The injected code will then add the following registry key:
HKEY_CURRENT_USERTons Pop FindPilesixth delete, having a value that appears to be a randomly generated sequence of printable or unprintable characters, used later when sending requests to download more trojans. While memory resident, it may download and execute more swizzors inside temp folder, and display adds from various web-sites (since the detection
covers many variants, the source of the downloaded trojans may vary; however, the main web-site seems to be hxxp://host-[remove].com) . It can also create desktop shortcuts, having addware-specific names, example: games.ink, poker.ink, internet.ink, travel.ink, etc, that contain links to various web-sites, links that it might add to the browsers bookmarks also.
At some point, the following message may be displayed:
"CiD: An important update is available to your CiD sponsor software and must
be run as administrator. Please press 'YES' to proceed. If you press 'NO'
you will be reminded again in a few hours. If instead you prefer to remove
the sponsor software, download and run this universal uninstaller:
http://cid[removed].com/uninstall.exe"
Following the link will just download more swizzors on the affected computer.Last update 21 November 2011
