Threat behavior
TrojanDownloader:Win32/Swizzor.gen is a generic detection for a Trojan that downloads files from remote Web sites, delivers pop-up and contextual advertisements and, depending on the variant, may add Web browser bookmarks, toolbars and search buttons in Internet Explorer.
Installation
Depending on the variant, when run, TrojanDownloader:Win32/Swizzor.gen may perform the following actions:
- Drops a copy of itself to the %Temp% folder using a randomly generated file name and continues execution from there.
- Modifies the registry in order to execute itself at each Windows start:
Adds value: <random strings>
With data: "%Appdata%\<path to Trojan executable>"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: <random strings>
With data: "%Appdata%\<path to Trojan executable>"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Drops the following hidden files:
%Windir%\Tasks\<random>.job
%Windir%\system32\drivers\etc\hosts.dap
%Windir%\system32\drivers\etc\hosts.iz4
%Windir%\system32\drivers\etc\hosts.jea
%Windir%\system32\drivers\etc\hosts.ljh
Injects code into the running process IEXPLORE.EXE (Web browser Internet Explorer)
Makes further registry modifications:
Adds value: <random strings>
With data: "<encrypted data>"
To subkey HKEY_CURRENT_USER\Software\<Random strings>
Creates randomly named folders, based on an internal dictionary, in the %Appdata%, %Common Appdata%, and %ProgramFiles% directories. The Trojan uses these folders to store files it may place on the affected machine. This may include downloaded components, also randomly named (see Payload section below for additional detail).
Payload
Downloads and Executes Arbitrary Files
The Trojan retrieves files from a remote web site, presumably, in order to update itself. It saves downloaded files with random files names to randomly named folders it may create in the %Appdata% and %Common Appdata% directories.
Displays Advertisements
TrojanDownloader:Win32/Swizzor.gen may deliver pop-up and contextual advertisements to users when browsing Web sites
Creates Bookmarks
This Trojan may create bookmarks in the Internet Explorer Favorites folder and in the profile of the current user:
%UserProfile%\Favorites\Online Gaming
%UserProfile%\Favorites\Computers
%UserProfile%\Favorites\Games
%UserProfile%\Favorites\Internet
%UserProfile%\Favorites\Internet\Education
%UserProfile%\Favorites\Shopping Gifts
%UserProfile%\Favorites\Travel
%UserProfile%\Favorites\Cool Stuff
%UserProfile%\Favorites\Fun Stuff
%UserProfile%\Favorites\Cool Stuff\Home
%UserProfileE%\Favorites\Cool Stuff\Online Pharmacy
%UserProfile%\Favorites\Adult Items
%UserProfile%\Favorites\Adult Entertainment
%UserProfile%\Favorites\Dating
Modifies Hosts File
The Trojan modifies the local hosts file to redirect Web browser connection attempts to domains linked with WinFixer to the localhost. These entries in the Hosts file may be suffixed by " ## added by CiD". The following hosts may be affected:
bin.errorprotector.com
br.errorsafe.com
br.winantivirus.com
br.winfixer.com
cdn.drivecleaner.com
cdn.errorsafe.com
cdn.winsoftware.com
de.errorsafe.com
de.winantivirus.com
download.cdn.drivecleaner.com
download.cdn.errorsafe.com
download.cdn.winsoftware.com
download.errorsafe.com
download.systemdoctor.com
download.winantispyware.com
download.windrivecleaner.com
download.winfixer.com
drivecleaner.com
dynamique.drivecleaner.com
errorprotector.com
errorsafe.com
es.winantivirus.com
fr.winantivirus.com
fr.winfixer.com
go.drivecleaner.com
go.errorsafe.com
go.winantispyware.com
go.winantivirus.com
hk.winantivirus.com
instlog.errorsafe.com
instlog.winantivirus.com
instlog.winfixer.com
jsp.drivecleaner.com
kb.errorsafe.com
kb.winantivirus.com
nl.errorsafe.com
se.errorsafe.com
secure.drivecleaner.com
secure.errorsafe.com
secure.winantispam.com
secure.winantispy.com
secure.winantivirus.com
support.winantivirus.com
trial.updates.winsoftware.com
ulog.winantivirus.com
utils.errorsafe.com
utils.winantivirus.com
utils.winfixer.com
winantispyware.com
winantivirus.com
winfixer.com
winfixer2006.com
winsoftware.com
www.drivecleaner.com
www.errorprotector.com
www.errorsafe.com
www.systemdoctor.com
www.utils.winfixer.com
www.win-anti-virus-pro.com
www.win-virus-pro.com
www.winantispam.com
www.winantispy.com
www.winantispyware.com
www.winantivirus.com
www.winantiviruspro.com
www.windrivecleaner.com
www.windrivesafe.com
www.winfixer.com
www.winfixer2006.com
www.winsoftware.com
Prevention
