Win32/Spy.SpyEye [Threat Name] go to Threat
Win32/Spy.SpyEye.CA [Threat Variant Name]
Available cleaner [Download SpyEye Cleaner ]
Category | trojan |
Size | 316416 B |
Aliases | Trojan-Spy.Win32.SpyEyes.fbv (Kaspersky) |
Infostealer (Symantec) | |
Trojan.PWS.SpySweep.44 (Dr.Web) | |
Trojan:Win32/EyeStye.H (Microsoft) |
Short description
Win32/Spy.SpyEye.CA is a trojan that steals sensitive information. The trojan can send the information to a remote machine. It uses techniques common for rootkits.
Installation
When executed, the trojan copies itself into the following location:
- %systemdrive%\%variable1%\%variable2%.exe
The following file is dropped in the same folder:
- %variable3%
A string with variable content is used instead of %variable1-3% .
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable2%.exe" = "%systemdrive%\%variable1%\%variable2%.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "EnableHttp1_1" = 1
- "ProxyHttp1.1" = 1
- "WarnOnPost" = 0
- "WarnOnPostRedirect" = 0
- "WarnOnIntranet" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
- "1409" = 3
- "1609" = 0
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
- "1409" = 3
- "1609" = 0
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
- "1409" = 3
- "1609" = 0
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1409" = 3
- "1609" = 0
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
- "1409" = 3
- "1609" = 0
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
- "1406" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter]
- "EnabledV8" = 0
- "ShownServiceDownBalloon" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery]
- "ClearBrowsingHistoryOnExit" = 0
The trojan may create and run a new thread with its own program code within any running process.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
Configuration is stored in the following file:
- %variable3%
The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- monitor network traffic
The trojan is able to log keystrokes.
The trojan attempts to send gathered information to a remote machine.
The trojan hooks the following Windows APIs:
- NtQueryDirectoryFile (ntdll.dll)
- NtVdmControl (ntdll.dll)
- NtEnumerateValueKey (ntdll.dll)
- NtResumeThread (ntdll.dll)
- LdrLoadDll (ntdll.dll)
- CreateFileW (kernel32.dll)
- FlushInstructionCache (kernel32.dll)
- PFXImportCertStore (crypt32.dll)
- CryptEncrypt (advapi32.dll)
- TranslateMessage (user32.dll)
- send (ws2_32.dll)
- InternetCloseHandle (wininet.dll)
- HttpOpenRequestA (wininet.dll)
- HttpAddRequestHeadersA (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- InternetQueryOptionA (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetWriteFile (wininet.dll)
- PR_Write (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Close (nspr4.dll)
- PR_OpenTCPSocket (nspr4.dll)
- PR_Poll (nspr4.dll)
The trojan can delete cookies.