Trojan.Win32.Swisyn.bgkm

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the following files:
    %Temp%\letter.doc
    %Temp%\get.exe
    %Temp%\csrss.exe
    

  3. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: B7EB9571E800BF72E4FA2792AFFCE72D
SHA1: 0996B0A2CB236D4D89291A924E9C83319F36DB10

Payload

After launching, the trojan creates the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"svchost"="%Temp%\csrss.exe"
[HKCU\Software\Microsoft\jdm] "ID"="jdm0.2_43"

It retrieves the following files from its body in the current user's temporary directory:
%Temp%\letter.doc

This file is 30208 bytes.


MD5: FA5E9C16062D517572247CC9B31BDA68

%Temp%\get.exe

This file is 84480 bytes.


MD5: 6EB1E08AD868A251F791907B82418E4C

%Temp%\csrss.exe

This file is 93696 bytes and is detected by Kaspersky Antivirus as Backdoor.Win32.Shell.bc.


The trojan then opens the file "letter.doc" using the associated application and launches the file "csrss.exe".


The launched "csrss.exe" file provides the attacker with remote access to the infected computer, for which a connection to the 80th port of the following IP address is created:

81.***.*28.181

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Windows application (PE-EXE file). 272896 bytes. Written in Ñ++.