Swisyn.ae

This page shows details and results of our analysis on the malware Swisyn.ae

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information -

    • MD5  - d36153b66a29f6fc515b54536aadf71e
    • SHA1 - 2cb7e82f07ce1515975d2b82fd6079c936f26993

Aliases -

    • F-Secure - Gen:Trojan.Heur.FU.gqW@a0SibZci
    • Kaspersky - Trojan.Win32.Swisyn.asnu
    • Microsoft - Trojan:Win32/Otran
    • Symantec - Trojan.Gen.2


Minimum DAT

6208 (2010-12-26)

Updated DAT

6216 (2011-01-04)

Minimum Engine

5400.1158

File Length

varies

Description Added

2010-12-26

Description Modified

2011-01-04

Malware Proliferation

Characteristics

Upon execution the Trojan drops the below mentioned file.

    • %AppData%\C575E8A8-16E2-4C95-AE36-0BA9C90710B0\rundll32.exe

And it connects to the site "mach[removed].cc" to download the following malicious files.

    • %Temp%\Temp\3.tmp
    • %Temp%\Temp\3.exe
    • %Temp%\Temp\4.tmp
    • %Temp%\Temp\4.exe
    • %Temp%\Temp\5.tmp
    • %Temp%\Temp\5.exe
    • %Temp%\Temp\6.tmp
    • %Temp%\Temp\6.exe
    • %Temp%\Temp\netsf.inf
    • %Temp%\Temp\netsf_m.inf
    • %Temp%\Temp\passthru.sys
    • %WinDir%\inf\oem10.inf
    • %WinDir%\inf\netsf_m.inf
    • %WinDir%\inf\oem10.PNF
    • %WinDir%\inf\netsf_m.PNF
    • s%WinDir%\system32\ip_qos.sys
    • %WinDir%\system32\ipsechlp.exe
    • %WinDir%\system32\PnPSvc.exe
    • %WinDir%\Adobe32 ARM\rundll32.exe
    • %WinDir%\Adobe32 ARM\libeay32.dll
    • %WinDir%\Adobe32 ARM\ssleay32.dll
    • %WinDir%\LastGood\INF\oem10.inf
    • %WinDir%\LastGood\INF\oem10.PNF
    • %WinDir%\system32\drivers\passthru.sys
    • %WinDir%\LastGood\system32\DRIVERS\passthru.sys
    • %WinDir%\LastGood\INF\netsf_m.inf
    • %WinDir%\LastGood\INF\netsf_m.PNF

The following registry keys have been added to the system

    • HKEY_LOCAL_MACHINE\SOFTWARE\CoffeeCup Software, Inc.
    • HKEY_LOCAL_MACHINE\SOFTWARE\FileZilla
    • HKEY_LOCAL_MACHINE\SOFTWARE\FlashFXP
    • HKEY_LOCAL_MACHINE\SOFTWARE\FTP Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\GlobalScape
    • HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch
    • HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\WS_FTP
    • HKEY_LOCAL_MACHINE\SOFTWARE\Rhino Software
    • HKEY_LOCAL_MACHINE\SOFTWARE\Rhino Software\FTP Voyager
    • HKEY_LOCAL_MACHINE\SOFTWARE\SmartFTP
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0010
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0010\Linkage
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Linkage
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#MS_PASSTHRUMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{A5A12FF
    • 1-7E01-4882-B5DC-FBFF0F6D8CE5}\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#MS_PASSTHRUMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#MS_PASSTHRUMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}\#{3D87502
    • 6-1F18-4B9F-A7B8-2762AC24861E}\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}\##?#ROOT#MS_PASSTHRUMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{EF7AFF31-8ED7-4715-ADB0-B1C770331229}\Ndi\Interfaces
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{EF7AFF31-8ED7-4715-ADB0-B1C770331229}\Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDNET\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNP_SERVICE\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNP_SERVICE\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\MS_PASSTHRUMP\0000\Device Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\MS_PASSTHRUMP\0000\LogConf
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\MS_PASSTHRUMP\0000\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\MS_PASSTHRUMP\0001\Device Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\MS_PASSTHRUMP\0001\LogConf
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\MS_PASSTHRUMP\0001\Control
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\MS_PASSTHRUMP\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\MS_PASSTHRUMP\0001
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\MS_PASSTHRUMP\0000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\MS_PASSTHRUMP\0001
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDnet\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Passthru\Parameters\Adapters\NdisWanIp
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Passthru\Parameters\Adapters\{1AA0EBBD-23B2-442A-A674-6976CE7EEB6C}
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Passthru\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Passthru\Enum
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP Service\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP Service\Enum
    • HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Metrowerks
    • HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Network-Client.com
    • HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Network-Client.com\FTP Now

The following registry values have been added to the system

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0010\Linkage\
      Export = '\Device\{A5A12FF1-7E01-4882-B5DC-FBFF0F6D8CE5}'
      RootDevice = '{A5A12FF1-7E01-4882-B5DC-FBFF0F6D8CE5} NdisWanIp'
      UpperBind = 'PSched'
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0010\
      Characteristics = 0x00000029
      ComponentId = "ms_passthrump"
      InfPath = "netsf_m.inf"
      InfSection = "PassthruMP.ndi"
      ProviderName = "Microsoft"
      DriverDateData = 00 40 2A 7C DD 68 C2 01
      DriverDate = "10-1-2002"
      DriverVersion = "6.0.4063.0"
      MatchingDeviceId = "ms_passthrump"
      DriverDesc = "Passthru Miniport"
      NetCfgInstanceId = "{A5A12FF1-7E01-4882-B5DC-FBFF0F6D8CE5}"
      FilterInfId = "ms_passthru"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Passthru\
      Type = 0x00000001
      Start = 0x00000003
      ErrorControl = 0x00000001
      Tag = 0x0000000A
      ImagePath = "system32\DRIVERS\passthru.sys"
      DisplayName =  "Passthru Service"
      Group = "PNP_TDI"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP Service\Enum\
      0  = "Root\LEGACY_PNP_SERVICE\0000"
      Count = 0x00000001
      NextInstance = 0x00000001
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP Service\Security\Security = Data
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP Service\
      Type = 0x00000010
      Start = 0x00000002
      ErrorControl = 0x00000001
      ImagePath =  "%WinDir%\system32\PnPSvc.exe"
      DisplayName = "PnP Service"
      ObjectName = "LocalSystem"
      Description = "Provides support of Windows Plug and Play devices"
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      C575E8A8-16E2-4C95-AE36-0BA9C90710B0 = "%AppData%\C575E8A8-16E2-4C95-AE36-0BA9C90710B0\rundll32.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      Adobe32 ARM = ""%WinDir%\Adobe32 ARM\rundll32.exe""
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      IpSync = "%WinDir%\system32\ipsechlp.exe"

The above three registry entries confirms that the Trojan executes every time when windows starts

    • HKEY_USERS\S-1-[varies]\Software\Metrowerks\
      domain_url = "hxxp://mach[removed].cc/client.html"
      entity_id = 0x0001222F
      entity_auth = "zRDBmhkS"

This Trojan has also the ability to propagate itself via removable drives

The Trojan drops a file into the user system with any of the following names

    • Alicia.exe
    • Stephanie.exe
    • Angelina.exe
    • Kristen.exe
    • Britney.exe
    • Madonna.exe
    • Kelly.exe
    • Liz_Hurley.exe
    • Scarlett_Johansson.exe
    • Keira.exe

It records the keystrokes on the computer and logs them in a file. It can be configured to periodically send the log files by email.

It look for the following security related applications and kills these applications if it finds.

    • symantec
    • mcafee
    • eset
    • avast
    • avg
    • onecare
    • antivir
    • avira
    • drweb
    • kaspersky

Also it connects to the following sites to download malicious files

    • hxxp://glueck[removed].cc/client.html
    • hxxp://vermo[removed].cc/client.html
    • hxxp://re3[removed].ru/client.html
    • hxxp://pretty[removed].ru/client.html
    • hxxp://linc[removed].ru/client.html
    • hxxp://upper[removed].ru/client.html
    • hxxp://shift[removed].ru/client.html

[Note: %Temp% - C:\Documents and Settings\[UserName]\Local Settings
%WinDir% - C:\WINDOWS
%AppData% - C:\Documents and Settings\[UserName]\Application Data]

Symptoms

    • The symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
    • Also it downloads the following malicious files.
      • hxxp://it[removed].cc/client/files/08dec_infector/bot_08dec_infector.exe
      • hxxp://mach[removed].cc/client/files/08dec_infector/bot_08dec_infector.exe
      • hxxp://glueck[removed].cc/client/08dec_infector/files/bot_08dec_infector.exe
      • hxxp://zimmer[removed].cc/client/files/08dec_infector/bot_08dec_infector.exe

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants