Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Swisyn.AC

Aliases:Trojan.Win32.Swisyn.zsj (Kaspersky), Generic Dropper.pd (McAfee), W32/Swisyn.C.gen!Eldorado (F-Prot) 
Type of infiltration:Trojan  
Size:1409024 B 
Affected platforms:Microsoft Windows 
Signature database version:4896 (20100225) 

Short description

Win32/Spy.Swisyn.AC is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:
  • %localappdata%nt.dll (541186 B, Win32/Spy.Swisyn.AD)
  • %localappdata%dllhost.exe (318466 B, Win32/Spy.Swisyn.AD)
In order to be executed on system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "dllhost" = "%localappdata%dllhost.exe"

Information stealing

The trojan collects the following information:
  • computer name
  • user name
The trojan is able to log keystrokes.

The collected information is stored in the following file:
  • %localappdata%drivers.log
The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:
  • avp.exe
  • avgtray.exe
The trojan creates the following files:
  • run.bat