Trojan.Win32.Swisyn.bgkm

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 272896 bytes. Written in Ñ++.

Payload

After launching, the trojan creates the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"svchost"="%Temp%\csrss.exe"

[HKCU\Software\Microsoft\jdm]
"ID"="jdm0.2_43"

It retrieves the following files from its body in the current user's temporary directory:

%Temp%\letter.doc

This file is 30208 bytes.

MD5: FA5E9C16062D517572247CC9B31BDA68

%Temp%\get.exe

This file is 84480 bytes.

MD5: 6EB1E08AD868A251F791907B82418E4C

%Temp%\csrss.exe

This file is 93696 bytes and is detected by Kaspersky Antivirus as Backdoor.Win32.Shell.bc.

The trojan then opens the file "letter.doc" using the associated application and launches the file "csrss.exe".

The launched "csrss.exe" file provides the attacker with remote access to the infected computer, for which a connection to the 80th port of the following IP address is created:

81.***.*28.181

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
2. Delete the following files:

   %Temp%\letter.doc
   %Temp%\get.exe
   %Temp%\csrss.exe
   

3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: B7EB9571E800BF72E4FA2792AFFCE72D
SHA1: 0996B0A2CB236D4D89291A924E9C83319F36DB10

Summary

• Trojan-Dropper. Hidden installation of other malicious programs in the system

Technical details

File size of 272896 bytes.

Installation

Creates the following files on an infected computer:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\get.exe

Malicious activity

Creates the following files:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\письмо.doc
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\csrss.exe

Ensures subsequent Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ] "svchost" = " Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\csrss.exe"

Launches files shown below for execution:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\письмо.doc
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\csrss.exe

Other activities

Modifies the system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\jdm ] "ID" = "jdm0.2_43"