FireEye
Trojan.Swisyn
Trojan.Swisyn
| Target: | Windows |
|---|---|
| Attributes: | Payload: Backdoor
, Downloader
, InfoStealer
Propagation: AutoRun , Email , Exploits , Malware Download , Network Shares Technique: Rootkit Kernel , StartUp |
Trojan.Swisyn can be installed on a vulnerable system when browsing malicious websites via drive-by download techniques. After installation, Trojan.Swisyn will download and install additional malware onto the infected system without user knowledge or consent. It may also hijack and install itself into system processes using rootkit techniques.
Trojan.Swisyn attempts to steal user data in a stealthy way. It searches for backdoors in the infected system's operating system and the utilities installed onto it. It then setups a connection between the user’s system and a hacker-controlled server. This way, it can easily collect and send out your personal information stored on the system with a lessened chance of detection. It may deteriorate the system performance making it noticeably slower.
Trojan.Swisyn modifies the startup configuration so that its executable (Smss.exe) runs on each reboot.
Trojan.Swisyn will spread via removable storage devices, email attachments and network shares.
The following are the files associated with it:
- winlogon.exe
- smss.exe
- lsass.exe
- csrss.exe
- xXx.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Winlogon
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\lsass
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\USERINIT\ userinit
How can I avoid this:
To prevent the initial infection, a user or enterprise should apply security patches to operating systems, web browsers and other software in a timely manner, and run and maintain professional or freeware security tools such as anti-virus, personal firewall, and intrusion detection. Users should also avoid falling victim to social engineering attacks. Email attachments from unknown sources should not be opened, and users should not allow the installation of any program on their computer unless they trust the source of the program and know what the program is supposed to do.
What can I do:
The most reliable approach to clean your system is to restore it to a known clean restore point, or perform a new install of your system after backing up all your personal data. Other options include :
* Install or update your desktop security programs which may have removal capability for this threat. Often a user will need to boot into safe mode and then run a full scan to increase the chances of full removal.
* For the brave-hearted users, you can consult additional resources such as ThreatExpert, to perform a manual clean up. This is not recommended for anyone but an expert.