SWISYN
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
SWISYN is a Trojan family first spotted around 2009. It is known primarily as a malware that drops other malware and executes them on the system it affects. This causes the affected system to display the malicious routines of the dropped malware.
SWISYN is also known to connect to possibly malicious URLs, as well as create registry entries in order to ensure its activation upon system startup.
TECHNICAL DETAILS
Yes
Drops files, Connects to URLs/IPs
Installation
This Trojan drops the following files:
- %User Temp%\services.exe
- %Windows%\Fonts\services.exe
- %System%\MSWINSCK.OCX
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Defender = "{malware path}\{malware name}.exe"
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
NOHIDORSYS
CheckedValue = "0"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}2.com
- http://{BLOCKED}hnaya.{BLOCKED}e.com/g.php?h={hex numbers}&p={numbers}
- http://{BLOCKED}hnaya.{BLOCKED}p.me/g.php?h={hex numbers}&p={numbers}
- http://www.{BLOCKED}i.{BLOCKED}t.putidea.co.cc/g.php?h={hex numbers}&p={numbers}
- http://{BLOCKED}u-{BLOCKED}l.getenjoyment.net/g.php?h={hex numbers}&p={numbers}
- {BLOCKED}n.{BLOCKED}y.net