1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP SwiftCleaner Activity

HTTP SwiftCleaner Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application SwiftCleaner.

Additional Information

The program may be manually installed. It may also be downloaded by another program without the user's consent.

The program reports false or exaggerated system security threats on the computer.


When the program is executed, it attempts to connect to the following Web site:
[http://]statsgod.com/a/instl[REMOVED]

It then creates the following files:

* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SwiftCleaner.lnk
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\SwiftScanner.lnk
* %UserProfile%\Desktop\SwiftCleaner.lnk
* %UserProfile%\Desktop\SwiftScanner.lnk
* %UserProfile%\Start Menu\Programs\Swift Software\SwiftCleaner.lnk
* %UserProfile%\Start Menu\Programs\Swift Software\UnInstall.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Swift Cleaner\SwiftCleaner\SwiftScanner.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Swift Cleaner\SwiftCleaner\SwiftUninstall.lnk
* %ProgramFiles%\Swift Software\SwiftCleaner\data\0.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\1.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\10.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\11.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\12.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\13.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\14.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\15.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\16.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\17.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\18.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\19.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\2.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\20.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\21.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\22.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\23.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\24.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\25.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\26.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\27.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\28.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\29.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\3.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\30.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\31.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\32.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\33.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\34.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\35.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\36.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\37.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\38.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\39.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\4.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\40.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\41.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\42.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\43.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\44.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\45.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\46.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\47.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\48.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\49.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\5.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\50.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\51.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\52.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\53.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\54.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\55.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\56.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\6.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\7.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\8.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\data\9.txt
* %ProgramFiles%\Swift Software\SwiftCleaner\Scanner.ini
* %ProgramFiles%\Swift Software\SwiftCleaner\SwiftCleanerScanner.exe



Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SwiftCleaner" = "C:\Program Files\Swift Software\SwiftCleaner\SwiftCleanerScanner.exe"

It also creates the following registry subkeys:

* HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Cleaner
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SwiftCleaner Scanner
* HKEY_LOCAL_MACHINE\SOFTWARE\Swift Software

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube