[INFO]
AnalystName= Sonia Iuliana Botezatu
AnalystEMailID= botezatus@comodo.com
Team= Romania
Date=12-JAN-2010
Type= TrojWare
Platform= Win32
SubType=TrojanDownloader
Family= Swizzor
Variant= 

[OVERVIEW]
Swizzor is a trojan which is difficult to remove, which uses random filenames, registry keys and obfuscation techniques to avoid detection.
It uses memory injection and launches Internet Explorer to connect to various websites like: lop.com, ayb.host-domain-lookup.com,
may create various shortcuts and display pop-up ads, may download from randomly constructed urls various .exe malware files on the system
and execute them.

[TECHNICAL_DESCRIPTION]
Written in MS Visual C++.
Launches Internet Explorer in the background with malware injected code. 

Registry keys added:
HKEY_CURRENT_USER\Software\[Random-words]
HKEY_USERS\Software\[Random-words]

e.g.
HKU\Software\army bin part
HKU\Software\army bin part\MailSpamNew
 
[SYMPTOMS]
Internet Explorer running in background.
Adware specific behavior (e.g. pop-ups).
Unknown new shortcuts.
Abnormal CPU usage
Abnormal internet traffic


[DISINFECTION]
Install Comodo Internet Security for a safe malware removal.