For Home

Virus Profile: PWS-Spyeye

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/23/2010
Date Added: 3/23/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Password Stealer
DAT Required: 5929
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • AVG           : Generic22.BNHJ
  • NOD32       : a variant of Win32/Kryptik.OEY
  • Microsoft     : Trojan:Win32/EyeStye.N
  • TrendMicro   : TROJ_GEN.R72C2F3

Indication of Infection

  • Presence of above mentioned files and registry keys.
  • Presence of unexpected connection to the above mentioned IP address.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

   

Virus Characteristics

-------Updated on Jul 05, 2012--------

Aliases -

Microsoft            -        Worm:Win32/Cridex.E
Kaspersky           -        Trojan-Dropper.Win32.Dapato.bjnm
Ikarus                  -        Trojan-Spy.Agent
Symantec             -        W32.Cridex

Upon execution  the Trojan copies itself into the following location.

  •  %Appdata%\KB01355874.exe

It drops the below script file 

  • %temp%\exp[varies].tmp.BAT

After execution, the Trojan deletes self by using above script file from the compromised system .

Below mentioned registry ensures that, the Trojan registers itself with the compromised system and execute itself upon every boot.

  • HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run:
     
    • "KB01355874.exe"  =  “%Appdata%\KB01355874.exe”

It  injects code in explorer.exe and  tries to connect to the following ip location  by the port 8080:

  • 123.[removed].61.59

-------Updated on Nov 29, 2011-- -----

Aliases –
    • Avp - UDS:DangerousObject.Multi.Generic
    • Drweb - Trojan.PWS.SpySweep.143

Upon execution, the Trojan drops files into the following locations
    • %Temp%\smgWSI.exe
    • %SystemDrive%\systemhost\24FC2AE33B8.exe
    • %SystemDrive%\systemhost\947697BBA316CBB [Detected as pws-spyeye!conf]

The following registry keys have been added

    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Internet Explorer\PhishingFilter
    • HKEY_USERS\S-1-[varies]\Software\Microsoft\Internet Explorer\Recovery
    • HKEY_USERS\S-1-[varies]\Software\Microsoft Windows

The following registry values have been added

    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\PhishingFilter\
      EnabledV8 = 0x00000000
      ShownServiceDownBalloon = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Recovery\
      ClearBrowsingHistoryOnExit = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
      ProxyHttp1.1 = 0x00000001
      WarnOnPostRedirect = 0x00000000
      WarnOnIntranet = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\
      1409 = 0x00000003
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
      1409 = 0x00000003
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
      1409 = 0x00000003
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
      \1409 = 0x00000003
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\
      1409 = 0x00000003
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
      YI9B2F0FYEXHXY1ZZON = "%SystemDrive%\systemhost\24FC2AE33B8.exe"

The above registry entry confirms that, the Trojan executes every time when windows starts

The following registry values have been modified
      HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
      WarnOnPost = 00 00 00 00
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\
      1406 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\
      1406 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\
      1406 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\
      1609 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
      1406 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\
      1609 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
      1609 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
      1406 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\
      1609 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\
      1406 = 0x00000000
    • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\
      1609 = 0x00000000

After execution, the source Trojan deletes itself from the system

Also the Trojan adds the following folder

    • %SystemDrive%\systemhost

Note – [%SystemDrive% - C:\,
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

-----

--Updated on July 60, 2011--

Aliases

  • Kaspersky - Trojan-Spy.Win32.Zbot.bvqm
  • Symantec - Trojan.Zbot
  • Ikarus      - Trojan.Win32.Spyeye
  • NOD32    - Win32/Spy.Zbot.YW

When executed the Trojan connects to the following sites.

  • Ma[Removed]ind.com through a remote prot 80.
  • testing.ph[Removed]trooms.com through a remote port 3177.

Also the Trojan injects itself with Explorer.exe and connects to the site bcsi[Removed]oup.com through a remote port 80.

And drop the following files:

  • %Appdata%\Bako\ecyzu.aci
  • %Appdata%\Bako\ecyzu.tmp
  • %Appdata%\Lupan\maew.exe

The following registry key has been added to the system.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Myoks
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Visual Basic
  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Visual Basic\6.0

The following registry value has been added to the system.

  • HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Privacy\CleanCookies: 0x00000000

The above mentioned registry ensures that, the Trojan disables the option for clearing the Internet Explorer cookies.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    “{1D00BB43-7036-5E81-E0F5-92A0700F8912}” = "" %Appdata%\Lupan\maew.exe""

The above mentioned registry ensures that the Trojan registers itself as a service and execute upon every reboot.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
    “%Windir%\explorer.exe” = " %Windir%\explorer.exe:*:Enabled:Windows Explorer"

The following registry values have been modified to the system.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\]
    1609: 0x00000000

The above mentioned registry entries ensure that, the Trojan disables Internet Explorer Internet security settings.

-----------------------------------------------

Upon execution, the Trojan injects itself with the explorer.exe and connects to the IP address “92.241.[Removed].46” through a remote port 4444”.

Upon execution, the Trojan creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery
  • HKEY_CURRENT_USER\Software\Microsoft Windows

The following registry values have been added to the system

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\PhishingFilter\]
    “EnabledV8” = “0x00000000”

It modifies the above windows registry key to disable the Internet Explorer Phishing Filter.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\PhishingFilter\]
    “ShownServiceDownBalloon” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Recovery\]
    “ClearBrowsingHistoryOnExit” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
    “ProxyHttp1.1” = “0x00000001”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
    “WarnOnPostRedirect” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
    “WarnOnIntranet” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
    “GlobalUserOffline” = “0x00000000”

The following registry value has been modified.

  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\]
    “1609” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\]
    “1406” = “0x00000000”
  • [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\]
    1609: 0x00000000

The above mentioned registry entries ensure that, the Trojan disables Internet Explorer Internet security settings.

 

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.