English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Swisyn.bgkm

Detected May 18 2011 09:17 GMT
Released May 18 2011 18:13 GMT
Published Sep 20 2011 15:19 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 272896 bytes. Written in Ñ++.


Payload

After launching, the trojan creates the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"svchost"="%Temp%\csrss.exe"

[HKCU\Software\Microsoft\jdm]
"ID"="jdm0.2_43"
It retrieves the following files from its body in the current user's temporary directory:
%Temp%\letter.doc
This file is 30208 bytes.

MD5: FA5E9C16062D517572247CC9B31BDA68

%Temp%\get.exe
This file is 84480 bytes.

MD5: 6EB1E08AD868A251F791907B82418E4C

%Temp%\csrss.exe
This file is 93696 bytes and is detected by Kaspersky Antivirus as Backdoor.Win32.Shell.bc.

The trojan then opens the file "letter.doc" using the associated application and launches the file "csrss.exe".

The launched "csrss.exe" file provides the attacker with remote access to the infected computer, for which a connection to the 80th port of the following IP address is created:

81.***.*28.181


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the following files:
    %Temp%\letter.doc
    %Temp%\get.exe
    %Temp%\csrss.exe
    
  3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: B7EB9571E800BF72E4FA2792AFFCE72D
SHA1: 0996B0A2CB236D4D89291A924E9C83319F36DB10


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.