TSPY_SPYEYE.SIE

This spyware may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Arrival Details

This spyware may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This spyware drops the following copies of itself into the affected system:

• %System Root%\Windows7\4D525EC11D5.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following non-malicious file:

• %System Root%\Windows7\5CE33F6ED109167 - configuration file

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\Windows7

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
UU5DUD3ZVFYXZHZGIXBPMU = %System Root%\Windows7\4D525EC11D5.exe /q

Other System Modifications

This spyware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
ShownServiceDownBalloon = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
ClearBrowsingHistoryOnExit = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnIntranet = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

Backdoor Routine

This spyware connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}daiodsa.com
• {BLOCKED}120.142
• {BLOCKED}domainmuie1245.com
• {BLOCKED}uadhg.com
• {BLOCKED}uasbdiaa.com
• http://{BLOCKED}oias.com/muie.php
• http://{BLOCKED}ll.net/muie.php
• http://{BLOCKED}rload.de/wp-admin/js/tags2.php
• http://{BLOCKED}ckupdomain123.com/muie.php
• http://{BLOCKED}i1.net/muie.php

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

NOTES:

It injects a remote thread to all running processes except the following:

• 4D525EC11D5.exe
• csrss.exe
• services.exe
• smss.exe
• System

It sends the following system information to its C&C server:

• Account type
• Internet Explorer (IE) version
• Language ID
• Local time
• OS Information
• Tick time
• Timezone
• Volume information

It reports the following BOT information to its C&C server:

• Bot GUID
• Bot hash
• Bot Status (online/offline)
• Bot version
• Function data
• Hooked function
• Plug-in
• Process name
• Status of executed commands

Hooks the following APIs to aid in its malicious routines:

advapi32.dll:
CryptEncrypt

crypt32.dll:
PFXImportCertStore

user32.dll:
TranslateMessage

wininet.dll:
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestW
InternetCloseHandle
InternetQueryDataAvailable
InternetQueryOptionA
InternetReadFileExA
InternetReadFile
InternetWriteFile

ws2_32.dll:
send

ntdll.dll:
NtClose
NtEnumerateValueKey
NtQueryDirectoryFile
NtResumeThread
NtSetInformationFile
NtVdmControl

It is capable of performing the following routines:

• Capture screenshots
• Harvest email addresses
• Open a remote desktop connection
• Open a reverse connections through a proxy server
• Open a reverse FTP connection
• Perform forms grabbing and webinjects on the following browsers: Internet Explorer, Firefox, Opera, Chrome
• Steal certificates
• Steal FTP accounts
• Steal POP3 accounts
• Update configuration file
• Update itself

It may perform webinjects and steal user information such as user names and passwords when the user visits any of the following banks and/or financial institutions:

• */Estatico/ALP_EBAN_Templates/Styles/common.css
• *53.com/servlet/efsonline*
• *bankofamerica.com/cgi-bin/*GotoWelcomeL
• *bmo.com/OLB/*
• *cibconline.cibc.com/olbtxn/accounts/*
• *discovercard.com/cardmembersvcs/strongauth/app/sa_main*
• *my.ebay.com/ws/eBayISAPI.dll?MyEbay*
• *nwolb.com*
• *oltx.fidelity.com/*/*/ofsummary/summary*
• *online.wellsfargo.com/das/cgi-bin/session.cgi*
• *onlinebanking.mandtbank.com/summary/AccountSummary*
• *onlinebanking.tdbank.com/accts/getAccts.aspL
• *paypal*
• *paypal.com*
• *rbsdigital.com*
• *royalbank.com/cgi-bin/rbaccess/rbcgi*L
• *royalbank.com/wps/myportal/OLB/!ut/*/*/*L
• *royalbank.com/wps/myportal/OLB/!ut/*L
• *secure.lloydstsb.co.uk/personal/*
• *suntrust.com/portal/server.pt?mode=*L
• *usbank.com/internetBanking/RequestRouter?requestCmdId=G*
• *wachovia.com*
• *www1.royalbank.com/cgi-bin/rbaccess/rbcgi3m01*
• h*paypal.com/us/cgi-bin/webscr?cmd=_login-done&login_access=*
• http*://*bankofamerica.com/*
• http*://*chase.com/*
• http*://*halifax-online.co.uk/*
• http*://*lloydstsb.co.uk/*L
• http*://*nwolb.com/*L
• http*://*royalbank.com/wps/myportal/OLB/!ut/*/*/*
• http*://*suntrust.com/*
• http*://*wellsfargo.com/*
• http*capitalone.com*
• http*cibconline.cibc.com*
• http*lloydstsb.co.uk/personal/*/logon/entermemorableinformation.jsp*
• http*pnc.com*
• https*://*halifax*.co.uk/*L
• https://*.wachovia.com/myAccounts.aspx*
• https://*citibank.com/*BS_Id=MemberHomepage*
• https://*usbank.com/internetBanking/RequestRouterL
• https://accesd.desjardins.com/*Operations/*
• https://accounts.key.com/*
• https://chaseonline.chase.com/MyAccounts.aspx
• https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
• https://easywebsoc.tdcanadatrust.com/servlet/ca.tdbank.banking.servlet.AccountDetailsServlet*
• https://home*.cbonline.co.uk/ralu/reglm-web/*artialPassword*.ctl
• https://home.cbonline.co.uk/cbib/cbib/*
• https://ibank.barclays.co.uk/olb/w/LoginMember.do
• https://online.citibank.com/US/*
• https://onlinebanking.tdbank.com/login*
• https://personal.co-operativebank.co.uk/CBIBSImages/theme/Master.css
• https://personal.co-operativebank.co.uk/CBIBSWeb/start.do
• https://retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto?dse_operationName=LOGON*
• https://secure.ingdirect.com/myaccount/INGDirect/*
• https://securebank.regions.com/*
• https://trading.scottrade.com/*
• https://www*.bmo.com/onlinebanking/OLB/ppr/mssL
• https://www*.bmo.com/onlinebanking/OLB?id=*L
• https://www*.bmo.com/onlinebanking/OLB?id=*
• https://www.accountonline.com/cards/svc/Dashboard.do*
• https://www.bankline.natwest.com/CWSLogon/logon.do*
• https://www.bankline.rbs.com/CWSLogon/logon.do*
• https://www.hsbc.ca/1/2/!ut/p/c1/*
• https://www.moneybookers.com/app/login.pl*
• https://www.nwolb.*AccountSummary*
• https://www.scotiaonline.scotiabank.com/portal/index.jsp?pageID=financial_services_banking*
• https://www.txn.banking.pcfinancial.ca/a/banking/*
• https://www.vancity.com/*
• https://your.egg.com/security/customer/login.aspx*