Virus:TR/Swisyn.aegr.1
Date discovered:06/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:262.158 Bytes
MD5 checksum:28de640f45d5127fa5395c8f612066a2
IVDF version:7.10.09.13 - Tuesday, July 6, 2010

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Sophos: Mal/AutoRun-N
   •  Bitdefender: Trojan.Agent.VB.BMA
   •  Panda: W32/Silly.BX


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Application Data\lsass.exe
   • %drive%\lsass.exe



It deletes the initially executed copy of itself.

%drive%\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to executes the following file:

– Filename:
   • netsh firewall add allowedprogram program = %HOME%\Application Data\lsass.exename = Nero mode = ENABLE

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe %HOME%\Application Data\lsass.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "MSWUpdate"="%HOME%\Application Data\lsass.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MSWUpdate"="%HOME%\Application Data\lsass.exe"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, August 25, 2010
Description updated by Petre Galan on Wednesday, August 25, 2010

Back . . . .