Win32/Spy.SpyEye [Threat Name] go to Threat

Win32/Spy.SpyEye.CA [Threat Variant Name]

Available cleaner [Download SpyEye Cleaner ]

Category	trojan
Size	316416 B
Aliases	Trojan-Spy.Win32.SpyEyes.fbv (Kaspersky)
	Infostealer (Symantec)
	Trojan.PWS.SpySweep.44 (Dr.Web)
	Trojan:Win32/EyeStye.H (Microsoft)

Short description

Win32/Spy.SpyEye.CA is a trojan that steals sensitive information. The trojan can send the information to a remote machine. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:

%systemdrive%\%variable1%\%variable2%.exe

The following file is dropped in the same folder:

%variable3%

A string with variable content is used instead of %variable1-3% .

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%.exe" = "%systemdrive%\%variable1%\%variable2%.exe"

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "EnableHttp1_1" = 1
- "ProxyHttp1.1" = 1
- "WarnOnPost" = 0
- "WarnOnPostRedirect" = 0
- "WarnOnIntranet" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1409" = 3
- "1609" = 0
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "EnabledV8" = 0
- "ShownServiceDownBalloon" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery]
- "ClearBrowsingHistoryOnExit" = 0

The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

Configuration is stored in the following file:

%variable3%

The HTTP protocol is used in the communication.

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
update itself to a newer version
monitor network traffic

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

The trojan hooks the following Windows APIs:

NtQueryDirectoryFile (ntdll.dll)
NtVdmControl (ntdll.dll)
NtEnumerateValueKey (ntdll.dll)
NtResumeThread (ntdll.dll)
LdrLoadDll (ntdll.dll)
CreateFileW (kernel32.dll)
FlushInstructionCache (kernel32.dll)
PFXImportCertStore (crypt32.dll)
CryptEncrypt (advapi32.dll)
TranslateMessage (user32.dll)
send (ws2_32.dll)
InternetCloseHandle (wininet.dll)
HttpOpenRequestA (wininet.dll)
HttpAddRequestHeadersA (wininet.dll)
HttpQueryInfoA (wininet.dll)
InternetQueryOptionA (wininet.dll)
InternetQueryDataAvailable (wininet.dll)
InternetReadFile (wininet.dll)
InternetReadFileExA (wininet.dll)
HttpSendRequestA (wininet.dll)
HttpSendRequestW (wininet.dll)
InternetWriteFile (wininet.dll)
PR_Write (nspr4.dll)
PR_Read (nspr4.dll)
PR_Close (nspr4.dll)
PR_OpenTCPSocket (nspr4.dll)
PR_Poll (nspr4.dll)

The trojan can delete cookies.