Follow:

 

Trojan:Win32/C2Lop.gen!F


Trojan:Win32/C2Lop.gen!F is a generic detection for a family of trojans that modify web browser settings, add browser bookmarks, and deliver pop-up advertisements. It is a member of the Trojan:Win32/C2Lop malware family.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Trojan:Win32/C2Lop.gen!F is a generic detection for a family of trojans that modify web browser settings, add browser bookmarks, and deliver pop-up advertisements. It is a member of the Trojan:Win32/C2Lop malware family.
Installation
Trojan:Win32/C2Lop.gen!F may arrive on a system as a file that is bundled with other software. When run, it launches Internet Explorer and injects its malicious code into the IE process.
 
As part of its malicious routine, it may modify the system registry to include the following:
 
Adds value: "<random string>"
With data: "<random data>"
To subkey: HKCU\Software\<random string>
 
where <random string> is a string or phrase composed of some of the following strings:
 
01
1
16
2
32
4
64
about
ace
acid
active
admin
aim
amen
amok
ante
anti
army
atom
audio
axis
axis
bags
bait
ball
balm
barb
base
bash
bat
beep
bend
bias
bib
bike
bin
bind
bird
bits
blah
bleh
blue
body
bold
bolt
bone
boob
book
bore
bows
browse
build
burn
byte
cake
camp
cash
cast
cdrom
chic
chin
city
clock
close
coal
comp
cool
copy
corn
creative
curb
dale
dart
dash
data
date
dead
deaf
debug
default
defy
delete
dent
does
dog
download
draw
drive
drv
dumb
dupe
dvd
each
eggs
else
enc
eq
error
exit
extra
face
fast
file
film
find
first
five
flag
flap
flaw
for
ford
fork
four
frag
free
funk
global
glue
gpl
gram
great
grey
grid
grim
heart
heck
help
hide
hold
hole
hope
htm
idle
idol
info
inside
inter
internet
intra
iso
itch
joy
jugs
jump
junk
keep
kind
knob
less
license
lies
link
list
lite
live
load
locks
log
logo
long
loud
love
mags
mail
manager
mapi
math
meal
media
meet
memo
meow
mess
meta
mfcd
mix
mode
more
move
mp3
mpeg
multi
name
new
noun
nurb
obj
okay
once
one
online
ooze
open
option
owns
part
peak
phone
pile
ping
plan
platform
play
plus
poke
poll
pop
proc
program
proxy
pure
rdr
readme
real
rect
ref
regs
remote
road
roam
rule
safe
save
scr
second
sect
seek
send
settings
setup
shim
show
sign
site
sixth
size
skip
slow
soap
soft
software
spam
start
stop
store
stupid
style
support
surf
team
test
that
the
third
this
thunk
tick
time
title
tons
tool
trans
tray
trust
two
type
up
upload
user
vc
vga
view
wait
warn
wave
way
web
win
window
wipe
wma
 
For example, a generated registry key would be:
HKCU\Software\Bait option trans
Payload
Downloads and Executes Arbitrary Files
Win32/C2Lop.gen!F may connect to a remote web site to download and execute arbitrary files. The downloaded files are usually members of the TrojanDownloader:Win32/Swizzor family or other components of the Trojan:Win32/C2Lop family. Once the downloaded files are successfully installed, unwanted pop-ups and advertisements may be displayed on the system.
 
For example, a specific sample of Win32/C2Lop.gen!F attempts to connect to "ayb.host-domain-lookup.com" via TCP port 80 and download files.
 
Analysis by Jireh Sanico

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of a registry key composed of one or more of the following strings:
    01
    1
    16
    2
    32
    4
    64
    about
    ace
    acid
    active
    admin
    aim
    amen
    amok
    ante
    anti
    army
    atom
    audio
    axis
    axis
    bags
    bait
    ball
    balm
    barb
    base
    bash
    bat
    beep
    bend
    bias
    bib
    bike
    bin
    bind
    bird
    bits
    blah
    bleh
    blue
    body
    bold
    bolt
    bone
    boob
    book
    bore
    bows
    browse
    build
    burn
    byte
    cake
    camp
    cash
    cast
    cdrom
    chic
    chin
    city
    clock
    close
    coal
    comp
    cool
    copy
    corn
    creative
    curb
    dale
    dart
    dash
    data
    date
    dead
    deaf
    debug
    default
    defy
    delete
    dent
    does
    dog
    download
    draw
    drive
    drv
    dumb
    dupe
    dvd
    each
    eggs
    else
    enc
    eq
    error
    exit
    extra
    face
    fast
    file
    film
    find
    first
    five
    flag
    flap
    flaw
    for
    ford
    fork
    four
    frag
    free
    funk
    global
    glue
    gpl
    gram
    great
    grey
    grid
    grim
    heart
    heck
    help
    hide
    hold
    hole
    hope
    htm
    idle
    idol
    info
    inside
    inter
    internet
    intra
    iso
    itch
    joy
    jugs
    jump
    junk
    keep
    kind
    knob
    less
    license
    lies
    link
    list
    lite
    live
    load
    locks
    log
    logo
    long
    loud
    love
    mags
    mail
    manager
    mapi
    math
    meal
    media
    meet
    memo
    meow
    mess
    meta
    mfcd
    mix
    mode
    more
    move
    mp3
    mpeg
    multi
    name
    new
    noun
    nurb
    obj
    okay
    once
    one
    online
    ooze
    open
    option
    owns
    part
    peak
    phone
    pile
    ping
    plan
    platform
    play
    plus
    poke
    poll
    pop
    proc
    program
    proxy
    pure
    rdr
    readme
    real
    rect
    ref
    regs
    remote
    road
    roam
    rule
    safe
    save
    scr
    second
    sect
    seek
    send
    settings
    setup
    shim
    show
    sign
    site
    sixth
    size
    skip
    slow
    soap
    soft
    software
    spam
    start
    stop
    store
    stupid
    style
    support
    surf
    team
    test
    that
    the
    third
    this
    thunk
    tick
    time
    title
    tons
    tool
    trans
    tray
    trust
    two
    type
    up
    upload
    user
    vc
    vga
    view
    wait
    warn
    wave
    way
    web
    win
    window
    wipe
    wma

Prevention


Alert level: Severe
First detected by definition: 1.49.280.0
Latest detected by definition: 1.65.732.0 and higher
First detected on: Dec 09, 2008
This entry was first published on: Feb 11, 2009
This entry was updated on: May 17, 2010

This threat is also detected as:
  • Mal/Swizzor-D (Sophos)
  • Trojan.Swizzor.2 (BitDefender)
  • Swizzor.gen.c (McAfee)
  • Adware.Lopq (Symantec)