Home / malware Trojan:W32/Swisyn.CAV
First posted on 27 October 2009.
Source: SecurityHomeAliases :
Trojan:W32/Swisyn.CAV is also known as Trojan:Win32/Chksyn.gen!A (Microsoft).
Explanation :
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Additional DetailsTrojan:W32/Swisyn.CAV downloads arbitrary files from a remote server and installs them onto the infected system.
Installation
When first executed, Swisyn.CAV creates copies of itself in the following locations:
  • %cwd%alg.exe - a temporary copy that is deleted after being executed
  • %appdata%Mcirosoftvmmonitor.exe - a 'permanent' copy   • %appdata%Microsoftqud.dtd - empty file
Note that %cwd% is the directory the original malware file was executed in; %appdata% is usually C:Documents and SettingsAll usersApplication data.
Activity
Once installed, the trojan attempts to connect to two remote locations and download files from them. The files downloaded by this variant are no longer available for analysis.
Registry
The following registry key is added to enable the malware to be launched at every startup:
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunvmmonitor =
"C:DOCUME~1ALLUSE~1APPLIC~1vmmonitor.exe ~mode =background-check=memory" [launchpoint]Last update 27 October 2009