WORM_SWISYN

SWISYN is a Trojan family first spotted around 2009. It is known primarily as a malware that drops other malware and executes them on the system it affects. This causes the affected system to display the malicious routines of the dropped malware.

SWISYN is also known to connect to possibly malicious URLs, as well as create registry entries in order to ensure its activation upon system startup.

Installation

This worm drops the following files:

• %User Temp%\services.exe
• %Windows%\Fonts\services.exe
• %System%\MSWINSCK.OCX

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Defender = "{malware path}\{malware name}.exe"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
NOHIDORSYS
CheckedValue = "0"

Other Details

This worm connects to the following possibly malicious URL:

• {BLOCKED}.{BLOCKED}2.com
• http://{BLOCKED}hnaya.{BLOCKED}e.com/g.php?h={hex numbers}&p={numbers}
• http://{BLOCKED}hnaya.{BLOCKED}p.me/g.php?h={hex numbers}&p={numbers}
• http://www.{BLOCKED}i.{BLOCKED}t.putidea.co.cc/g.php?h={hex numbers}&p={numbers}
• http://{BLOCKED}u-{BLOCKED}l.getenjoyment.net/g.php?h={hex numbers}&p={numbers}
• {BLOCKED}n.{BLOCKED}y.net