Virus

W32/Swizzor.K!tr

Analysis

This Trojan is 32-bit with an UPC packed file size of 292,695 bytes. If the Trojan is run, it will initiate a hidden Internet Explorer process and inject its code into the running process. The Trojan will retrieve binary files from hard-coded websites.
File Download Routine
The Trojan downloads other UPC packed files from domains that fall in the "lop.com" domain. This Trojan will get the files from
undefinedrandomundefined.bins.lop.com/bins/int/
Where undefinedrandomundefined is a random string. The Trojan performs a DNS query against the name which resolves to the IP address 66.220.17.158. TCP trace utilities indicate the Trojan makes connections with other similar IP addresses -
66.220.17.154
66.220.17.158
66.220.17.169
The downloaded files are in the form of binary files with ".int" extension, such as -
upAYB.int
dkgen_up.int
tp_map6.int
updbho2.int
upd_admn.int
kr2.int
The downloaded files are written to newly created folders on the system. The Trojan may create strangely named folders such as these -
C:\..\All Users\Application Data\admin title delete defy\
C:\..\undefineduser nameundefined\Application Data\JUMP ROAD NOUN\
In these folders, the Trojan will copy the downloaded files as .EXE files. The names of the files are also strange, such as these -
Close amen remote more.exe
GRIM THE SURF.exe
hope drv readme.exe
Owns This Vc.exe
sjypglqj.exe
Drive bin.exe
Many of the downloaded files are spyware/adware programs.
Loading at Windows startup
The Trojan may register some of the retrieved files to load at Windows startup by adding entries into the registry such as these examples -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
"thunkburn" = undefinedpathundefined\Owns This Vc.exe
HKEY_CLASSES_ROOT\CLSID\{undefinedunique CLSIDundefined}
"64535DBE" = 2C0411726CB7B446F792
HKEY_CLASSES_ROOT\CLSID\{undefinedunique CLSIDundefined}\InprocServer32\
"(Default)" = undefinedpathundefined\Drive bin.exe
"ThreadingModel" = Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"DeleteDefySendRoad" = undefinedpathundefined\Thunkfilm.exe
In one "nice" aspect, at least one of the downloaded files has an uninstall routine which can be accessed by the "Add/Remove Software" applet from the control panel -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Uninstall\64 slow user\
"DisplayName" = Search Plugin
"UninstallString" = undefinedpathundefined\Owns This Vc.exe -uninstall

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option