Send us feedback
Thank you for your feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/C2Lop.J
Published Mar 21, 2010
|
Updated Sep 15, 2017
Trojan:Win32/C2Lop.J
Detected by Microsoft Defender Antivirus
Aliases: TROJ_GEN.0X2412S (Trend Micro) Trojan.Win32.Swizzor.a (Kaspersky)
Summary
Trojan:Win32/C2Lop.J is a trojan that contains limited backdoor functionality. Using this backdoor, C2Lop's controller can order the trojan to download and execute arbitrary files, display advertisements, and mediate the affected user's online experience by blocking access to particular hosts/domains.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Threat behavior
Trojan:Win32/C2Lop.J is a trojan that contains limited backdoor functionality. Using this backdoor, C2Lop's controller can order the trojan to download and execute arbitrary files, display advertisements, and mediate the affected user's online experience by blocking access to particular hosts/domains.
Installation
When executed, Win32/C2Lop injects itself to the Internet Explorer process. Presumably this is to avoid detection by application-level firewalls and to hinder the trojan's removal.
Payload
Backdoor functionality
Win32/C2Lop downloads an encrypted configuration file from a specified domain. TrojanDownloader:Win32/C2Lop.J has been observed contacting ads.netbios-local.com for this purpose. The downloaded configuration file can instruct the trojan to perform the following actions on an affected computer:
- Display advertisements
- Block specified hosts/domains
- Monitor Internet Explorer processes and capture data to send to a remote host (including URLs visited, meta data of visited pages, source of visited pages, etc.)
- Download and execute arbitrary files. Files are downloaded to the %temp% directory, where the filename is a combination of strings randomly selected from lists carried in the trojan's code. The following strings are used by the trojan in this manner:
1
16
2
32
4
64
about
ace
acid
active
admin
aim
amen
amok
ante
anti
army
atom
audio
axis
axis
bags
bait
ball
balm
barb
base
bash
bat
beep
bend
bias
bib
bike
bin
bind
bird
bits
blah
bleh
blue
body
bold
bolt
bone
boob
book
bore
bows
browse
build
burn
byte
cake
camp
cash
cast
cdrom
chic
chin
city
clock
close
coal
comp
cool
copy
corn
creative
curb
dale
dart
dash
data
date
dead
deaf
debug
default
defy
delete
dent
does
dog
download
draw
drive
drv
dumb
dupe
dvd
each
eggs
|
else
enc
error
exit
extra
face
fast
file
film
find
first
five
flag
flap
flaw
for
ford
fork
four
frag
free
funk
global
glue
gpl
gram
great
grey
grid
grim
heart
heck
help
hide
hold
hole
hope
htm
idle
idol
info
inside
inter
internet
intra
iso
itch
joy
jugs
jump
junk
keep
kind
knob
less
license
lies
link
list
lite
live
load
locks
log
logo
long
loud
love
mags
mail
manager
mapi
math
meal
media
meet
memo
meow
mess
meta
mfcd
mix
mode
more
move
mp3
mpeg
multi
name
new
noun
nurb
obj
|
okay
once
one
online
ooze
open
option
owns
part
peak
phone
pile
ping
plan
platform
play
plus
poke
poll
pop
proc
program
proxy
pure
rdr
readme
real
rect
ref
regs
remote
road
roam
rule
safe
save
scr
second
sect
seek
send
settings
setup
shim
show
sign
site
sixth
size
skip
slow
soap
soft
software
spam
start
stop
store
stupid
style
support
surf
team
test
that
the
third
this
thunk
tick
time
title
tons
tool
trans
tray
trust
two
type
upload
user
vga
view
wait
warn
wave
way
web
win
window
wipe
wma
|
Analysis by Chun Feng
Prevention
There are no obvious symptoms that indicate the presence of this malware on an affected computer.