Follow:

 

Worm:Win32/Swimnag.gen!A


Worm:Win32/Swimnag.gen!A is the EXE component of a worm that spreads via removable drives. It drops its DLL component, detected as Worm:Win32/Swimnag.gen!A.dll, in the system.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Worm:Win32/Swimnag.gen!A is the EXE component of a worm that spreads via removable drives. It drops its DLL component, detected as Worm:Win32/Swimnag.gen!A.dll, in the system.
Installation
Worm:Win32/Swimnag.gen!A drops a randomly-named DLL file in the Windows system folder. This DLL file is detected as Worm:Win32/Swimnag.gen!A.dll,
 
It creates the following registry entry:
 
Adds value: "Blud"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
It also registers its dropped DLL to run every time Windows starts:
 
Adds value: "DllName"
With data: "<system folder>\<random>.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<random key>
 
It adds an encrypted copy of itself to the dropped DLL file to enable the DLL to spread it.
 
It then deletes itself when it has completed its malware routine.
Spreads Via...
Removable Drives
Worm:Win32/Swimnag.gen!A.dll searches for removable drives, If found, it drops the following files in the root of the drive, both with the hidden attribute:
  • m.exe - copy of Worm:Win32/Swimnag.gen!A
  • autorun.inf - INF file that enables the Win32/Swimnag.gen!A copy to automatically run
 
Analysis by Marian Radu

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
    Added value: "Blud"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 24, 2009
This entry was updated on: May 21, 2010

This threat is also detected as:
  • :Trj/Spambot.C (Panda)