Win32/Spy.SpyEye [Threat Name] go to Threat

Win32/Spy.SpyEye.CA [Threat Variant Name]

Available cleaner [Download SpyEye Cleaner ]

Category trojan
Size 316416 B
Detection created Dec 29, 2010
Signature database version 7470
Aliases Trojan-Spy.Win32.SpyEyes.fbv (Kaspersky)
  Infostealer (Symantec)
  Trojan.PWS.SpySweep.44 (Dr.Web)
  Trojan:Win32/EyeStye.H (Microsoft)
Short description

Win32/Spy.SpyEye.CA is a trojan that steals sensitive information. The trojan can send the information to a remote machine. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:

  • %systemdrive%\­%variable1%\­%variable2%.exe

The following file is dropped in the same folder:

  • %variable3%

A string with variable content is used instead of %variable1-3% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%.exe" = "%systemdrive%\­%variable1%\­%variable2%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "EnableHttp1_1" = 1
    • "ProxyHttp1.1" = 1
    • "WarnOnPost" = 0
    • "WarnOnPostRedirect" = 0
    • "WarnOnIntranet" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1409" = 3
    • "1609" = 0
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­0]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­1]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­2]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­3]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­4]
    • "1406" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­PhishingFilter]
    • "EnabledV8" = 0
    • "ShownServiceDownBalloon" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Recovery]
    • "ClearBrowsingHistoryOnExit" = 0

The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


Configuration is stored in the following file:

  • %variable3%

The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • monitor network traffic

The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.


The trojan hooks the following Windows APIs:

  • NtQueryDirectoryFile (ntdll.dll)
  • NtVdmControl (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • CreateFileW (kernel32.dll)
  • FlushInstructionCache (kernel32.dll)
  • PFXImportCertStore (crypt32.dll)
  • CryptEncrypt (advapi32.dll)
  • TranslateMessage (user32.dll)
  • send (ws2_32.dll)
  • InternetCloseHandle (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpAddRequestHeadersA (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetQueryOptionA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Close (nspr4.dll)
  • PR_OpenTCPSocket (nspr4.dll)
  • PR_Poll (nspr4.dll)

The trojan can delete cookies.

Please enable Javascript to ensure correct displaying of this content and refresh this page.