Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Swisyn.Q

Aliases:Trojan.Win32.Inject.amdl (Kaspersky), TrojanSpy:Win32/Swisyn.B (Microsoft), Generic.dx!nkr (McAfee) 
Type of infiltration:Trojan  
Size:285696 B 
Affected platforms:Microsoft Windows 
Signature database version:4972 (20100324) 

Short description

Win32/Spy.Swisyn.Q is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

The trojan does not create any copies of itself.

Information stealing

The trojan is able to log keystrokes.

The following information is collected:
  • computer name
  • passwords
The trojan collects information related to the following applications:
  • CuteFTP Pro
  • DynDNS
  • FileZilla
  • Google Chrome
  • IntelliForms
  • Internet Download Manager
  • CuteFTP Pro
  • DynDNS
  • FileZilla
  • Google Chrome
  • IntelliForms
  • Internet Download Manager
  • Mozilla Firefox
  • PalTalk
  • Steam
  • Trillian
  • Windows Live IM
  • Yahoo Messenger
The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (1) URLs. The FTP protocol is used.

Other information

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "%variable%" = "%malwarepath%"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    RunServices]
    "%variable%" = "%malwarepath%"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
    Installed Components{%GUID%}]
    "StubPath" = "%malwarepath%"
A string with variable content is used instead of %variable%.

The trojan may create the following files:
  • %programfiles%buildlog.txt
  • %programfiles%hackhound.txt