Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Swisyn.AH

Aliases:Trojan.Win32.Cidres.an (Kaspersky), TrojanSpy:Win32/Keylogger.AD (Microsoft), Generic Dropper.pd (McAfee) 
Type of infiltration:Trojan  
Size:2699412 B 
Affected platforms:Microsoft Windows 
Signature database version:4955 (20100318) 

Short description

Win32/Spy.Swisyn.AH is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:
  • %appdata%rundll.exe (96768 B, Win32/Spy.Swisyn.AH)
  • %appdata%nt.dll (541184 B, Win32/Spy.Swisyn.AH)
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "Rundll32" = "%appdata%rundll.exe"

Information stealing

The trojan collects the following information:
  • computer name
  • user name
The trojan is able to log keystrokes.

The collected information is stored in the following file:
  • %appdata%drivers.log
The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

Other information

The trojan creates the following files:
  • run.bat
  • %appdata%artmoney732eng.exe (1450582 B)