Win32/Spy.Swisyn [Threat Name] go to Threat

Win32/Spy.Swisyn.AC [Threat Variant Name]

Category trojan
Size 1409024 B
Detection created Feb 25, 2010
Detection database version 4896
Aliases Trojan.Win32.Swisyn.zsj (Kaspersky)
  Generic.Dropper.pd (McAfee)
  W32/Swisyn.C.gen!Eldorado (F-Prot)
Short description

Win32/Spy.Swisyn.AC is a trojan that steals sensitive information. The trojan can send the information to a remote machine.


When executed, the trojan creates the following files:

  • %localappdata%\­nt.dll (541186 B, Win32/Spy.Swisyn.AD)
  • %localappdata%\­dllhost.exe (318466 B, Win32/Spy.Swisyn.AD)

In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "dllhost" = "%localappdata%\­dllhost.exe"
Information stealing

The trojan collects the following information:

  • computer name
  • user name

The trojan is able to log keystrokes.

The collected information is stored in the following file:

  • %localappdata%\­drivers.log

The trojan attempts to send gathered information to a remote machine.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • avp.exe
  • avgtray.exe

The trojan creates the following files:

  • run.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.