TSPY_SPYEYE.CF

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data. It retrieves specific information from the affected system.

It connects to certain websites to send and receive information. It deletes the initially executed copy of itself.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• %System Root%\RECYCLER\{random file name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following non-malicious file:

• %System Root%\RECYCLER\{random file name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
ShownServiceDownBalloon = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
ClearBrowsingHistoryOnExit = "0"

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It retrieves the following information from the affected system:

• Operating System Information
• Status (online/offline)
• Internet Explorer version
• Account Type
• Volume information
• Language ID
• Tick Time
• Timezone
• Local Time
• Bot Version
• Bot GUID
• Bot Hash
• Plug-in
• Function Data
• Process Name
• Hooked Function
• Process Name

Other Details

This spyware connects to the following website to send and receive information:

• http://{BLOCKED}2.{BLOCKED}0.164.206/email/gate.php

It does the following:

• Update configuration file
• Update itself
• Modify Internet Setting Zones
• Modify Mozilla Firefox preference file
• Log keystrokes
• Fill form data
• Steal FTP and POP3 user names and passwords
• Capture entered information in web forms

It deletes the initially executed copy of itself

NOTES:
It sends the retrieved information to a remote malicious user.

It may perform webinjects and steal user information such as usernames and passwords when the user visits any of the following banks and/or financial institutions:

• *.entropay.com/basemenu/prot/*
• *bankofamerica.com/*
• *bankofamerica.com/cgi-bin/*GotoWelcome
• *cibconline.cibc.com/olbtxn/accounts/*
• *online.wellsfargo.com/das/cgi-bin/session.cgi*
• *onlinebanking.tdbank.com/accts/getAccts.asp
• *paypal*
• *paypal.com*
• *royalbank.com/cgi-bin/rbaccess/rbcgi*
• *royalbank.com/wps/myportal/OLB/!ut/*
• *royalbank.com/wps/myportal/OLB/!ut/*/*/*
• *suntrust.com/portal/server.pt?mode=*
• *www1.royalbank.com/cgi-bin/rbaccess/rbcgi3m01*
• h*paypal.com/us/cgi-bin/webscr?cmd=_login-done&login_access=*
• http*://*chase.com/*
• http*://*royalbank.com/wps/myportal/OLB/!ut/*/*/*
• http*://*suntrust.com/*
• http*://*wellsfargo.com/*
• http*bmo.com*
• http*capitalone.com*
• http*cibconline.cibc.com*
• http*easywebsoc.td.com*
• http*pnc.com*
• https://*.bankofamerica.com/*/commonscript.js
• https://*.wachovia.com/myAccounts.aspx*
• https://*citibank.com/*BS_Id=MemberHomepage*
• https://*usbank.com/internetBanking/RequestRouter
• https://chaseonline.chase.com/MyAccounts.aspx
• https://easyweb*.tdcanadatr st.com/servlet/*FinancialSummaryServlet*
• https://onlineeast#.bankofamerica.com/*/GotoCustomerServiceMenu*
• https://onlineeast#.bankofamerica.com/*/GotoWelcome
• https://onlineeast#.bankofamerica.com/*/SplashPageControl*
• https://sitekey.bankofamerica.com/sas/maint.do
• https://sitekey.bankofamerica.com/sas/resetPasscode*
• https://sitekey.bankofamerica.com/sas/resetPasscode*Action.do
• https://sitekey.bankofamerica.com/sas/resetPasscodeScreen
• https://www.moneybookers.com/app/login.pl*