Follow:

 

Trojan:Win32/C2Lop.F


Trojan:Win32/C2Lop.F is a trojan that contains limited backdoor functionality. Using this backdoor, C2Lop's controller can order the trojan to download and execute arbitrary files, display advertisements, and mediate the affected user's online experience by blocking access to particular hosts/domains.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Trojan:Win32/C2Lop.F is a trojan that contains limited backdoor functionality. Using this backdoor, C2Lop's controller can order the trojan to download and execute arbitrary files, display advertisements, and mediate the affected user's online experience by blocking access to particular hosts/domains.
Installation
When executed, Win32/C2Lop injects itself to the Internet Explorer process. Presumably this is to avoid detection by application-level firewalls and to hinder the trojan's removal.
Payload
Backdoor functionality
Win32/C2Lop downloads an encrypted configuration file from a specified domain. TrojanDownloader:Win32/C2Lop.F has been observed contacting c7540.nb.host-domain-lookup.com for this purpose. The downloaded configuration file can instruct the trojan to perform the following actions on an affected computer:
- Display advertisements
- Block specified hosts/domains
- Monitor Internet Explorer processes and capture data to send to a remote host (including URLs visited, meta data of visited pages, source of visited pages, etc.)
- Download and execute arbitrary files. Files are downloaded to the %temp% directory, where the filename is a combination of strings randomly selected from lists carried in the trojan's code. The following strings are used by the trojan in this manner:
1      
16     
2       
32      
4      
64     
about   
ace    
acid   
active 
admin   
aim    
amen   
amok   
ante   
anti   
army   
atom   
audio   
axis    
axis    
bags    
bait    
ball    
balm    
barb    
base    
bash    
bat    
beep   
bend   
bias   
bib     
bike    
bin    
bind   
bird   
bits   
blah   
bleh   
blue   
body   
bold   
bolt   
bone   
boob   
book   
bore   
bows   
browse 
build   
burn    
byte    
cake    
camp    
cash    
cast    
cdrom  
chic   
chin   
city   
clock   
close  
coal   
comp   
cool   
copy   
corn   
creative
curb   
dale   
dart   
dash   
data   
date   
dead   
deaf   
debug   
default
defy   
delete 
dent   
does   
dog     
download
draw    
drive  
drv     
dumb    
dupe    
dvd    
each   
eggs
else    
enc    
error   
exit    
extra  
face   
fast   
file   
film   
find   
first   
five    
flag    
flap    
flaw    
for    
ford   
fork   
four   
frag   
free   
funk   
global 
glue   
gpl     
gram    
great  
grey   
grid   
grim   
heart   
heck    
help    
hide    
hold    
hole    
hope    
htm    
idle   
idol   
info   
inside 
inter   
internet
intra  
iso     
itch    
joy    
jugs   
jump   
junk   
keep   
kind   
knob   
less   
license 
lies    
link    
list    
lite    
live    
load    
locks  
log     
logo    
long    
loud    
love    
mags    
mail    
manager
mapi   
math   
meal   
media   
meet    
memo    
meow    
mess    
meta    
mfcd    
mix    
mode   
more   
move   
mp3     
mpeg    
multi  
name   
new     
noun    
nurb    
obj
okay    
once    
one    
online 
ooze   
open   
option 
owns   
part   
peak   
phone   
pile    
ping    
plan    
platform
play    
plus    
poke    
poll    
pop    
proc   
program 
proxy  
pure   
rdr     
readme  
real    
rect    
ref    
regs   
remote 
road   
roam   
rule   
safe   
save   
scr     
second  
sect    
seek    
send    
settings
setup  
shim   
show   
sign   
site   
sixth   
size    
skip    
slow    
soap    
soft    
software
spam    
start  
stop   
store   
stupid  
style  
support 
surf    
team    
test    
that    
the    
third   
this    
thunk  
tick   
time   
title   
tons    
tool    
trans  
tray   
trust   
two    
type   
upload 
user   
vga     
view    
wait    
warn    
wave    
way    
web     
win    
window 
wipe   
wma
 
Analysis by Chun Feng

Symptoms

There are no obvious symptoms that indicate the presence of this malware on an affected computer.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.49.418.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Mar 22, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Mal_Swizzor (Trend Micro)