TSPY_SPYEYE.BY

This spyware may perform webinjects and steal user information such as user names and passwords when the user visits certain banking sites and/or financial institutions. It may also capture screenshots of certain banks and/or financial institutions.

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data. It steals certain information from the system and/or the user.

It connects to certain websites to send and receive information.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following component file(s):

• %System Root%\WinLdrv.Bin\{random filename}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• %System Root%\WinLdrv.Bin\{random filename}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\WinLdrv.Bin

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%System Root%\WinLdrv.Bin\{random file name}.exe"

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It steals the following information:

• Operating System Information
• Status (online/offline)
• Internet Explorer version
• Account Type
• Volume information
• Language ID
• Tick Time
• Timezone
• Local Time
• Bot Version
• Bot GUID
• Bot Hash
• Plug-in
• Function Data
• Process Name
• Hooked Function
• Process Name

Other Details

This spyware connects to the following website to send and receive information:

• http://{BLOCKED}.{BLOCKED}.82.125/query/dns.php
• http://{BLOCKED}.{BLOCKED}.82.126/query/dns.php
• http://{BLOCKED}.{BLOCKED}.82.127/query/dns.php
• http://{BLOCKED}.{BLOCKED}.82.128/query/dns.php
• http://{BLOCKED}.{BLOCKED}y.net/query/dns.php

It does the following:

• Update configuration file
• Update itself
• Modify Internet Setting Zones
• Modify Mozilla Firefox preference file
• Log keystrokes
• Fill form data
• Steal FTP and POP3 user names and passwords
• Capture entered information in web forms

NOTES:

It sends the information it steals to a remote malicious user.

It may perform webinjects and steal user information such as user names and passwords when the user visits any of the following banks and/or financial institutions:

• *.webcashmgmt.com*
• */cashman/*
• */cashplus/*
• */onlineserv/CM/*
• *bankofamerica.com/*
• *bankofamerica.com/*/GotoWelcome*
• *bankofamerica.com/*/SplashPageControl*
• *business-eb.ibanking-services.com*
• *businessaccess.citibank.citigroup.com*
• *businessbankingcenter.synovus.com*
• *businessinternetbanking.synovus.com*
• *businessonline.huntington.com*
• *businessonline.tdbank.com*
• *cashproonline.bankofamerica.com*
• *cbs.firstcitizensonline.com*
• *ceowt.wellsfargo.com*
• *chaseonline.chase.com/MyAccounts.aspx*
• *chsec.wellsfargo.com*
• *comerica.com/cma/portal/mybusinessconnect*
• *comerica.com/nv/TMConnectWeb*
• *cpw-mibs.bankofamerica.com*
• *directline4biz.com*
• *directportal.bankofamerica.com*
• *express.53.com*
• *goldleafach.com*
• *ibc.klikbca.com*
• *itreasury.regions.com*
• *ktt.key.com*
• *moneymanagergps.com*
• *netconnect.bokf.com*
• *ocm.suntrust.com*
• *online.citibank.com/US/JPS/portal/Home.do*
• *otm.suntrust.com*
• *premierview.membersunited.org*
• *presidiobank.com/onlineserv/CM*
• *privatebk.ebanking-services.com*
• *securentrycorp.amegybank.com*
• *singlepoint.usbank.com*
• *smallbusinessonline.bbt.com*
• *treas-mgt.frostbank.com*
• *treasurydirect*tdbank.com*
• *treasurydirect.cpo.tdbank.com*
• *treasurydirect.soc.tdbank.com*
• *trz.tranzact.org*
• *ub-businessonline.blilk.com*
• *web-cashplus.com*
• *wellsadmin.wellsfargo.com*
• *wellsnet.wellsfargo.com*
• *wellsoffice.wellsfargo.com*
• *wellsstation.wellsfargo.com*
• https://*.bankofamerica.com/*/commonscript.js
• https://online.citibank.com/US/JRS/portal/accountSummary.do
• https://online.citibank.com/US/JRS/portal/accountSummary.do
• https://online.citibank.com/US/jba/rs/ShowTargetAppFromPortlet.do?targetSubApp=*
• https://onlineeast#.bankofamerica.com/*/GotoCustomerServiceMenu*
• https://onlineeast#.bankofamerica.com/*/GotoWelc me
• https://onlineeast#.bankofamerica.com/*/SplashPageControl*
• https://sitekey.bankofamerica.com/sas/maint.do

• */Authentication/Views/LoginCM.aspx*
• */US/JRS/wires/Init.do*
• */inets/Login*
• */onlineserv/CM*
• *CLKCCM*
• *Login.aspx?fi=progressbankfl*
• *PassMarkRecognized.aspx*
• *access.jpmorgan.com*
• *access.usbank.com*
• *account.marathonbet.com*
• *account3000.com*
• *activobank.com*
• *addisonavenue.com*
• *alltimetreasury.*
• *alltimetreasury.pacificcapitalbank.com*
• *americansavingsnj2.com*
• *authmaster.nationalcity.com*
• *bamlservice.bankofamerica.com*
• *banking.calbanktrust.com*
• *banking.first-direct.com*
• *banknetpower.net*
• *bankoffortbendonline.com*
• *bankofny.com*
• *bankonline.umpquabank.com*
• *banksterling*
• *bb/logon*
• *bcge.ch*
• *bgnetplus.com*
• *bhibank.com*
• *bnycash.bankofny.com*
• *bob.sovereignbank.com*
• *bofacapital.bankofamerica.com*
• *boh.webcashmgmt.com*
• *business-eb.ibanking-services.com*
• *business.macu.com*
• *businessaccess.citibank.citigroup.com*
• *businessbanking.banif.com*
• *businessbanking.banif.com.mt*
• *businesscenter.gemoney.com*
• *businessclassonline.com*
• *businessclassonline.compassbank.com*
• *businesslogin*
• *businessonline.huntington*
• *businessonline.huntington.com*
• *businessonline.tdbank.com*
• *businessonlineaccess.web-cashplus.com*
• *bxs.com*
• *capitalsecuritybank.com*
• *cardsonline-consumer.com*
• *cashman.*
• *cashman.arvest.com*
• *cashmanagement.*
• *cashmanagement.firstambank.com*
• *cashmgt.*
• *cashmgt.firsttennessee*
• *cashmgt.firsttennessee.biz*
• *cashplus.*
• *cashproonline.bankofamerica.com*
• *cashproweb.com*
• *cayebank.bz*
• *cbolobank.com*
• *cbs.firstcitizens.com*
• *cdb.com*
• *centralbank.gov.cy*
• *ceowt.wellsfargo.com*
• *cfgbusinessaccess.com*
• *chsec.wellsfargo.com*
• *chsec.wellsfargo.com/siteminderagent/pwcgi/smpwservicescgi.exe*
• *cib.bankofthewest.com*
• *cibc.com*
• *citibank.co.uk*
• *citizensbank.ebanking-services.com*
• *citizensbankmoneymanagergps.com*
• *cl1.corner.ch*
• *claridenleu.directnet.com*
• *click.alfabank.ru*
• *cmb-home.com*
• *cmbdirect.cmbnv.com*
• *cmol.bbt.com*
• *cmserver*
• *cmserver/welcome/default/verify.cfm*
• *cnbank.com*
• *cnbsec1.cnbank.com*
• *columbiabankonline.com*
• *commerceconnections.commercebank.com*
• *commercetreasurydirect.com*
• *commercial.wachovia.com*
• *communitybankoftx.com*
• *compupayonline.com*
• *cornerlink.ch*
• *cornerlink.ch/ch/html/it/login/*
• *corneronline.ch*
• *corpACH*
• *cpa.bankofamerica.com*
• *cpw-achweb.bankofamerica.com*
• *ctreporter.coletaylor.com*
• *dab-bank.com*
• *direct-certs.bankofamerica.com*
• *direct.53.com*
• *direct.bankofamerica.com*
• *direct.mcbgroup-ebanking.com*
• *directline4biz.com*
• *directpay.wellsfargo.com*
• *directportal.bankofamerica.com*
• *dsipayrollservices.com*
• *e-access.compassbank.com*
• *e-gold.com*
• *e-moneyger.com*
• *easterntreasuryconnect.com*
• *eastwestbankhb.com*
• *eau.bnpparibas.com*
• *ebank.sghambros.com*
• *ebanking-bs.ubs.com*
• *ebanking.caledonian.com*
• *ebill.highmark.com*
• *ecathay.com*
• *efgbank.com*
• *efginternational.com*
• *efgoffshore.com*
• *efirstbank*
• *enternetbank.com*
• *enterprise1.openbank.com*
• *enterprise2.openbank.com*
• *enterprisebanker.com*
• *esgc.com*
• *express.53.com*
• *expressdeposit.*
• *expressdeposit.colonialbank.com*
• *extranet.pictetfunds.com*
• *fareastnationalbank.ebanking-services.com*
• *fbmedirect.com*
• *fbtonline.com*
• *ffce.webcashmgmt.com*
• *ffsbkyonline.com*
• *first-direct.com*
• *firstbanks.com*
• *firstfacts.mandtbank.com*
• *fiservdmecorp1.net*
• *fiservla10.com*
• *fnbcms5.lionbank.com*
• *fnfgbusinessonline.enterprisebanker.com*
• *fundsxpress.com*
• *global1.onlinebank.com*
• *goldleaf*
• *goldleafach.com*
• *google.com/accounts/ServiceLoginAuth?service=adwords*
• *gtbank.com*
• *guard.scotiabank.com*
• *hbcash.exe*
• *hillsbank*
• *iachprod.wellsfargo.com*
• *ibank.bankphb.com*
• *ibank.caymannational.com*
• *ibank.internationalbanking.barclays.com*
• *ibank.scnb.com*
• *ibank.unionbankmo.com*
• *ibanking.ibtc.com*
• *ibc.klikbca.com*
• *independentcm.com*
• *infoplus.mandtbank.com*
• *ingdirect*
• *interatlantic.atlabank.com*
• *internetbanking.firsttennessee.biz*
• *internetbanking.unfcu.org*
• *itreasury.*
• *itreasury.amsouth.com*
• *itreasury.regions.com*
• *itreasurypr.regions.com*
• *ktt.key.com*
• *lakecitybank.webcashmgmt.com*
• *libertymutualbusinessdirect.com*
• *light.webmoney.ru*
• *light.wmtransfer.com*
• *lot-port.bcs.ru*
• *manufacturers.web-access.com*
• *mbczh.ch*
• *mcb-home.com*
• *mcbdirect.mcb-bank.com*
• *merchantservices.capitalonebank.com*
• *metrobankdirect.com*
• *mibusinessonlinebanking.ebanking-services.com*
• *mijn.ing.nl* 600 600 20 900
• *mijnzakelijk.ing.nl* 600 600 20 900
• *miwebcombank.ebanking-services.com*
• *moneymanagergps.com*
• *msblimited.com*
• *mybankfirstunited.wblnk.com*
• *myib.firstmerchants.com*
• *mystreetscape*
• *nashvillecitizensbank.com*
• *nationalcity.com/consultnc*
• *ncbcayman.com*
• *net.kutxa.net*
• *netconnect.bokf.com*
• *nfbconnect.com*
• *nsbank.com*
• *olui2.fs.ml.com/login/login.aspx*
• *onb.webcashmgmt.com*
• *online-offshore.lloydstsb.com*
• *online.barrington-bank.com*
• *online.bcbankinternational.com*
• *online.citibank.com/US/*
• *online.paychex.com*
• *onlinebanking.orcobank.com*
• *onlinetreasurymanager.*
• *onlinetreasurymanager.suntrust.com*
• *otm.suntrust.com*
• *passbank.com*
• *payrollonline.com*
• *pcbmyaccount.com*
• *pictet.com*
• *powerpayroll.net*
• *premierview.membersunited.org*
• *privatea.pictet.com*
• *probanx.com*
• *progressbankfl.com*
• *rbsdigital.com*
• *rsa-ebanking.mbczh.ch*
• *rupay.com*
• *schwabinstitutional.com*
• *scottvalleybank*
• *secure.ally.com*
• *secure.diamondbank.com/corpbanking*
• *secure.fundsxpress.com*
• *securechemicalbankmi.com*
• *securecy.hellenicnetbanking.com*
• *securentry.calbanktrust.com*
• *securentrycorp.*
• *securentrycorp.amegybank.com*
• *securentrycorp.calbanktrust.com*
• *signatureny.web-access.com*
• *singlepoint.usbank.com*
• *skagitonlinebanking.com*
• *solbank.com*
• *springbankconnect.com*
• *ssnb.ebanking-services.com/Auth/SignIn/*
• *sso.uboc*
• *sso.uboc.com*
• *statebanks.blilk.com*
• *sterlingcorporatenetbanking.com*
• *sterlingwires.com*
• *sunnb.blilk.com*
• *suntrust.com/portal/server.pt?space=Redirect&CommunityID=1616*
• *suntrust.com/portal/server.pt?space=Redirect&CommunityID=1685*
• *svbconnect.com*
• *texascapitalbank.com*
• *tmconnectweb*
• *top.capitalonebank.com*
• *towernet.capitalonebank.com*
• *treas-mgt.*
• *treas-mgt.frostbank.com*
• *treasury.*
• *treasury.pncbank.com*
• *treasury.wamu.com*
• *treasurydirect.*
• *treasurydirect.tdbank.com*
• *treasurypathways.com*
• *txcbtw.com*
• *ultrex.info*
• *umpquabank.com*
• *uno-e.com*
• *usgateway1.rbs.com*
• *usgateway2.rbs.com*
• *web-cashplus.com*
• *webcashmanager.*
• *webcashmgmt.*
• *webexpress*
• *webexpress.tdbanknorth.com*
• *wellsoffice.wellsfargo.com*
• *whitneybank.web-access.com*
• *winterbotham.com*
• *wired#.businessmanager.com*
• *ws2.bankbyweb.net*
• *wtb.ebanking-services.com*
• *wupos.westernunion.com*
• *www.amegybank.com/*
• *www2.firstbanks.com/olb*
• *xpresspayroll.com*
• https://secure.ingdirect.com/myaccount/INGDirect/login_pinpad.vm
• https://secure.ingdirect.com/myaccount/INGDirect/security_questions.vm
• https://www.libertyreserve.com/en/customer/account/personal/index.aspx
• https://www.libertyreserve.com/en/customer/login2/account/index.aspx
• https://www.libertyreserve.com/en/customer/login2/index.aspx
• https://www.libertyreserve.com/en/customer/transfer/index.aspx
• https://www.libertyreserve.com/en/customer/wallet/discharge/index.aspx
• https://www.libertyreserve.com/en/customer/wallet/refill/index.aspx