F-Secure
Tools
Trojan:W32/Swisyn.CAV
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Disinfection
Manual Removal
1. Ensure vmmonitor.exe is not running (use Task Manager to end its process).
2. Delete the files vmmonitor.exe and qud.dtd
3. Delete this Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vmmonitor
1. Ensure vmmonitor.exe is not running (use Task Manager to end its process).
2. Delete the files vmmonitor.exe and qud.dtd
3. Delete this Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vmmonitor
Details
File System Changes
Creates these files:
- %appdata%\Microsoft\qup.dtd
- %appdata%\Microsoft\vmmonitor.exe
Uses these temporary files:
- %cwd%\alg.exe
- %appdata%\Microsoft\qud.dtd
Process Changes
Creates these mutexes:
- redzone
Network Connections
Attempts to download files from:
- http://wc-members.com/1/get.php?un=$GOAT-WXPSP2B_70692199
- http://203.106.203.238/wpad.dat
Additional Details
Trojan:W32/Swisyn.CAV downloads arbitrary files from a remote server and installs them onto the infected system.
Installation
When first executed, Swisyn.CAV creates copies of itself in the following locations:
Note that %cwd% is the directory the original malware file was executed in; %appdata% is usually C:\Documents and Settings\All users\Application data.
Activity
Once installed, the trojan attempts to connect to two remote locations and download files from them. The files downloaded by this variant are no longer available for analysis.
Registry
The following registry key is added to enable the malware to be launched at every startup:
Installation
When first executed, Swisyn.CAV creates copies of itself in the following locations:
- %cwd%\alg.exe - a temporary copy that is deleted after being executed
- %appdata%\Mcirosoft\vmmonitor.exe - a 'permanent' copy
- %appdata%\Microsoft\qud.dtd - empty file
Note that %cwd% is the directory the original malware file was executed in; %appdata% is usually C:\Documents and Settings\All users\Application data.
Activity
Once installed, the trojan attempts to connect to two remote locations and download files from them. The files downloaded by this variant are no longer available for analysis.
Registry
The following registry key is added to enable the malware to be launched at every startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\vmmonitor =
"C:\DOCUME~1\ALLUSE~1\APPLIC~1\vmmonitor.exe ~mode =background-check=memory" [launchpoint]