Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Swisyn.AI

Aliases:Trojan-Spy.Win32.KeyLogger.dzk (Kaspersky), Generic Dropper.pd (McAfee), Trojan:Win32/Orsam!rts (Microsoft) 
Type of infiltration:Trojan  
Size:1477678 B 
Affected platforms:Microsoft Windows 
Signature database version:5059 (20100425) 

Short description

Win32/Spy.Swisyn.AI is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan creates the following files:
  • %appdata%rundll.exe (427008 B, Win32/Spy.Swisyn.AI)
  • %appdata%nt.dll (512000 B, Win32/Spy.Swisyn.AI)
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "Rundll32" = "%appdata%rundll.exe"

Information stealing

The trojan collects the following information:
  • user name
  • computer name
The trojan is able to log keystrokes.

The collected information is stored in the following file:
  • %appdata%drivers.log
The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:
  • avp.exe
The trojan creates the following files:
  • run.bat