Home / malwarePDF  

Trojan.Downloader.Swizzor.EM


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.Swizzor.EM is also known as Trojan.LopAd, Win32/Lop.BI, Adware.Win32.Lop.Ai.

Explanation :

The trojan determines the path of Internet Explorer using the system registry. After that, the trojan checks, if it is running already in the process context of Internet Explorer. If not, then a new instance of Internet Explorer is created and the virus loads and executes itself under the Internet Explorer process as a library.

The trojan dowloads other malware from randomly constructed URLs with the form http://[random]/bins/int/[removed]. The files are downloaded into the %TMP% folder with .TMP extension, but are later moved to %AppData% directory with random names based on a dictionary (like %AppData%PollFindSiteSupportBike.exe) and executed.

If the injection of code into Internet Explorer fails, then the virus checks for command line arguments, like:
If the command line arguments does not include a predefined signature (like 923ccb1f) then a message box with title "Bad Elmo" and text "You must install this software as part of the parent program. Press OK to exit." appears, then the trojan exits. If the command line argument "-newkEm" is present, then it searches for a special window (with class "wwBYAwnd" and name "windWWAA") and sends a 0x533 Windows message to it (with this may trigger the execution of other malware). The trojan also registers a new window message with the typical name 'ZegkScArbUni'. The torjan tries to execute malware from the %AppData% with names based on a crypted dictionary (like %AppData%PollFindSiteSupportBike.exe). After this the trojan exits. If the command line argument "SwIcertifiEd 1" is set, then the trojan downloads and executes other malware under %TMP%, named bis[randomnumber].exe with parameters like "-Curl 923ccb1f -MpXNP_0001".
The virus contains many encrypted strings, specific to Swizzor variants. The intensive use of command line arguments has the role to prevent / disturb heuristical detection.

Last update 21 November 2011

 

TOP

Malware :