Win32/Spy.SpyEye [Threat Name] go to Threat

Win32/Spy.SpyEye.B [Threat Variant Name]

Available cleaner [Download SpyEye Cleaner ]

Category trojan
Size 70144 B
Aliases Trojan.Win32.Pincav.shd (Kaspersky)
  BackDoor-Spyeye (McAfee)
  Trojan.Spyeye (Symantec)
Short description

Win32/Spy.SpyEye.B is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX . It uses techniques common for rootkits.


When executed, the trojan copies itself into the %systemdrive%\cleansweep.exe\ folder using the following name:

  • cleansweep.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "cleansweep.exe" = "%systemdrive%\­cleansweep.exe\­cleansweep.exe"

The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan hooks the following Windows APIs:

  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtVdmControl (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • TranslateMessage (user32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle  (wininet.dll)
  • send (ws2_32.dll)
  • CryptEncrypt (advapi32.dll)

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • log keystrokes

The trojan can send the information to a remote machine.

The trojan creates the following files:

  • %systemdrive%\­cleansweep.exe\­config.bin

Please enable Javascript to ensure correct displaying of this content and refresh this page.