Trojan.Win32.Swisyn.ctsn_548a74301c
Trojan.Win32.Swisyn.ctsn (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Gen.Win32.IRC-Backdoor!IK (Emsisoft), GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 548a74301c0bb1388699e291b4f0fea1
SHA1: 090af2c598e3c667cd9f9df4c446f4a97be40a1e
SHA256: 220635b6b9da5a9a639c900cad6e9f8cce37f57ec2c81a59bb80b44d75894825
SSDeep: 3072:z/atXTAPMMX3wQqr2CahcopYDpEoueyc4MktJolGQxA/q2ARgC2zIulJG:Gtjjiqr2VhhYDpzwcZkqG sZARgvFy
Size: 542464 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6, Armadillov171
Company: ApPure
Created at: 2004-11-25 21:32:24
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1092
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process %original file name%.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\explorer.exe (3361 bytes)
Registry activity
The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 ED F1 49 1E B0 B9 A9 E7 94 47 7C 6E A4 8D 81"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"explorer.exe" = "explorer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"Microsoft Windows Hosting Service Login" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\explorer.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Hosting Service Login" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\explorer.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Hosting Service Login" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\explorer.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://inflables.com.ve/lt.exe (ET POLICY PE EXE or DLL Windows file download , Malicious) |  158.255.2.24 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1092
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\explorer.exe (3361 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Hosting Service Login" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\explorer.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Hosting Service Login" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\explorer.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
