Follow:

 

Trojan:Win32/C2Lop.gen!B


Trojan:Win32/C2Lop.gen!B is a generic detection for a family of trojans that modify web browser settings, add browser bookmarks, and deliver pop-up advertisements. Its behavior is similar to the family behavior presented in the C2Lop family writeup.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Trojan:Win32/C2Lop.gen!B is a generic detection for a family of trojans that modify web browser settings, add browser bookmarks, and deliver pop-up advertisements. Its behavior is similar to the family behavior presented in the C2Lop family writeup.
Installation
Trojan:Win32/C2Lop.gen!B may arrive in a system as a file that is bundled with other software.
 
Upon execution, it creates the following folders:
 
  • %APPDATA%\the two bolt
  • %ProgramFiles%\buolurqkvyyscwe
  • %ProgramFiles%\cfhhtkktlqrarhu
  • %ProgramFiles%\dexfbvpmipxslum
  • %ProgramFiles%\kfyvtinjaoymqxw
  • %ProgramFiles%\kjgabmoiixfqvhq
  • %ProgramFiles%\klnpnmcyousqkzr
  • %ProgramFiles%\llkhqvhamchvjzz
  • %ProgramFiles%\mbibljromhszoaf
  • %ProgramFiles%\obqgwxbnmrlyhcx
  • %ProgramFiles%\opzecyieonuqqum
  • %ProgramFiles%\the two bolt
  • %ProgramFiles%\uhtizvvglutmzia
  • %ProgramFiles%\uowlzlsydrrycdy
  • %ProgramFiles%\vqvyxkylwydvzmw
  • %ProgramFiles%\xhdopxvgqdorqrj
  • %ProgramFiles%\yifkqsusnxuyfde
  • %ProgramFiles%\ysjmwyfndhbkmor
 
It also creates the following registry entry as part of its malware installation routine:
 
Adds value: "curb mp3 bikefast", ""
To subkey: HKCU\Software\
Payload
Drops Additional Malware
Trojan:Win32/C2Lop.gen!B drops the following files:
 
  • %TEMP%\bis3.exe
  • %ALLUSERSPROFILE%\Application Data\city about store file\idle once.exe
  • %APPDATA%\the two bolt\mode ace 01.exe - detected as Trojan:Win32/C2Lop.C
  • %APPDATA%\the two bolt\byoonqku.exe
  • %APPDATA%\the two bolt\help readme internet bold.exe - detected as Trojan:Win32/C2Lop.C
  • %APPDATA%\the two bolt\support bits free.exe - detected as Trojan:Win32/C2Lop.C
 
It creates the following registry entries to enable its dropped files to run every time Windows starts:
 
Adds value: "Store file readme bash"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "Flag dead"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds to Favorites
Trojan:Win32/C2Lop.gen!B adds the following subfolders to Internet Explorer's Favorites folder:
 
  • Adult Entertainment
  • Adult Entertainment\Dating
  • Adult Items
  • Computers
  • Computers\Games
  • Cool Stuff
  • Cool Stuff\Fun Stuff
  • Cool Stuff\Home
  • Cool Stuff\Online Pharmacy
  • Dating
  • Home
  • Internet
  • Internet\Education
  • Online Gaming
  • Online Pharmacy
  • Shopping Gifts
  • Travel
 
Creates HOSTS File
Trojan:Win32/C2Lop.gen!B creates a HOSTS file with a random extension in a subfolder of the Windows drivers folder, for example:
<system folder>\drivers\etc\hosts.xnr
 
Analysis by Jaime Wong

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
The presence of the following folders:
%APPDATA%\the two bolt\
%ProgramFiles%\buolurqkvyyscwe
%ProgramFiles%\cfhhtkktlqrarhu
%ProgramFiles%\dexfbvpmipxslum
%ProgramFiles%\kfyvtinjaoymqxw
%ProgramFiles%\kjgabmoiixfqvhq
%ProgramFiles%\klnpnmcyousqkzr
%ProgramFiles%\llkhqvhamchvjzz
%ProgramFiles%\mbibljromhszoaf
%ProgramFiles%\obqgwxbnmrlyhcx
%ProgramFiles%\opzecyieonuqqum
%ProgramFiles%\the two bolt
%ProgramFiles%\uhtizvvglutmzia
%ProgramFiles%\uowlzlsydrrycdy
%ProgramFiles%\vqvyxkylwydvzmw
%ProgramFiles%\xhdopxvgqdorqrj
%ProgramFiles%\yifkqsusnxuyfde
%ProgramFiles%\ysjmwyfndhbkmor
  • The presence of the following files:
%TEMP%\bis3.exe
%ALLUSERSPROFILE%\Application Data\city about store file\idle once.exe
%APPDATA%\the two bolt\mode ace 01.exe
%APPDATA%\the two bolt\byoonqku.exe
%APPDATA%\the two bolt\help readme internet bold.exe
%APPDATA%\the two bolt\support bits free.exe
  • The presence of the following registry modifications:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Store file readme bash"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Flag dead"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.49.418.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Sep 01, 2008
This entry was updated on: May 17, 2010

This threat is also detected as:
  • Trojan.Swizzor.1 (BitDefender)
  • Swizzor.gen (McAfee)