For Consumer

Virus Profile: BackDoor-Spyeye

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/10/2010
Date Added: 2/11/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Generic
DAT Required: 5890
Removal Instructions
   
 
 
   

Description

BackDoor-Spyeye is a trojan which besides backdoor capabilities is able to download files, log user keystrokes, depicts rootkit behavior, performs bot related functionality etc.

Indication of Infection

Presence of network connections to the aforementioned domain

Methods of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial.

Aliases

Trojan-Spy:W32/Spyeye.A (F-secure), Trojan.Spyeye (Symantec), Trojan:Win32/Spyeye (Microsoft), Win32/Spy.SpyEye.B (Nod32)
   

Virus Characteristics

-----------Update Aug 16, 2011--------------

Aliases -

  • NOD32 - probably a variant of MSIL/PSW.Agent.NBP
  • Ikarus - Trojan-Spy.MSIL
  • BitDefender - Gen:Heur.MSIL.Krypt.3
  • Norman - W32/Suspicious_Gen2.KRIAX

BackDoor-Spyeye is a backdoor that allow unauthorized access and control of an compromised computer to the remote attacker.

Upon execution, the malware binary copies itself into the below mentioned system location.

  • %UserProfile%\Application DataSystem.exe

The following registry values has been added to the system.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
    System.exe = "%UserProfile%\Application DataSystem.exe"

The Above mentioned registry entry confirms that the Trojan executes upon every reboot.

[Notes: C:\Documents and Settings\Administrator is %UserProfile% ]

--------------------------------

------------------------------Update Mar 11, 2011-----------------------------------

File Information:

  • MD5 : bda72e57d263241d52b1fe2ef014cba9
  • SHA1 : fa9dc14b100f1bf5124cd23c322c109b38a70675

Aliases:

  • Kaspersky - Trojan-Spy.Win32.SpyEyes.for
  • Ikarus - Trojan-Spy.Win32.SpyEyes
  • Microsoft - TrojanDownloader:Win32/Karagany.A
  • F-Secure - Trojan-Downloader:W32/Karagany.E

 

BackDoor-Spyeye is a backdoor that allow unauthorized access and control of an compromised computer to the remote attacker.

Upon execution, the malware binary copies itself into the below mentioned system location and connects to the legitimate site "adobe.com" in order to trick the user to show it as a legitimate file (adobeutil.exe) whereas, it is not.

 

This malicious file comes as an attachment via email and it fakes the user by claiming it to be from DHL and also the file icon mimics to be a Adobe Reader PDF file in order to trick the user to claim it as a legitimate file.

 

After a while, it connects to the site "[removed]34gsafwe.com" to download other malicious files.

    • %AppData%\Adobe\adobeutil.exe
    • %UserProfile%\Desktop\err.log11403750 [Hidden]

 

The malware binary inject its malicious code into the explorer.exe and connects to the following sites through remote port 80.

 

          

    • [removed]files.com
    • [removed]ervidor.es
    • [removed]longt.com

 

And it drops the following files:

 

    • %UserProfile%\Start Menu\Programs\Startup\AdbUpd.lnk
    • %AppData%\Adobe\AdobeUtil[space].exe [ Not a malicious file]
    • %AppData%\Adobe\adb.cer

 

It creates a short cut link at startup folder and executes every time when windows start.

Also it downloads the following files:

    • %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\ESTOCHOD\ftpplug2[1].dll
    • %AppData%\Adobe\plugs\thread.dll
    • %AppData%\Adobe\plugs\mmc11439546.txt
    • %AppData%\Adobe\plugs\mmc

 

The following folders have been added to the system:

    • %AppData%\Adobe\shed
    • %AppData%\Adobe\plugs

 

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files, %SystemDrive% = Root Drive

 

------------------------------Update Mar 11, 2011-----------------------------------

Upon execution, this malware creates the following folder:

  • %SystemRoot%\CleanSweep.exe

Two files are created within this Folder:

  • Config.bin
  • CleanSweep.exe

The following registry keys are created:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    cleansweep.exe = "C:\cleansweep.exe\cleansweep.exe"

The created folder, files and registry keys are hidden by a user mode rootkit BackDoor-Spyeye!rootkit

The malware hooks various API export in a number of processes and possesses the ability to monitor and log network traffic, log keystrokes (and other user information such as credit card numbers, etc) and perform bot related activities. Besides this it is capable of downloading files and updating its software.

During our analysis, the bot was seen making connections to the following:

  • themuzik.org
  • 91.213.174.34

 

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.