TSPY_EYEBOT.KV
Windows 2000, XP, Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This spyware may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.
It also has rootkit capabilities, which enables it to hide its processes and files from the user.
It attempts to steal information, such as user names and passwords, used when logging into certain banking or finance-related websites.
TECHNICAL DETAILS
321,536 bytes
EXE
Yes
09 Nov 2010
Hides files and processes, Others
Arrival Details
This spyware may be downloaded by other malware/grayware/spyware from remote sites.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This spyware drops the following files:
- %System Root%\dfgfdxxxgf.exe\dfgfdxxxgf.exe - copy of itself
- %System Root%\dfgfdxxxgf.exe\config.bin - configuration file
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\dfgfdxxxgf.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It injects codes into the following process(es):
- explorer.exe
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
dfgfdxxxgf.exe = %System Root%\dfgfdxxxgf.exe\dfgfdxxxgf.exe
Rootkit Capabilities
This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.
Information Theft
This spyware monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:
- *chase.com*
- *hiring.monster.com*Login*
- *libertyreserve.com* 150 150 10000 900
- http*chaseonline.chase.com/
- http*chaseonline.chase.com/MyAccounts.aspx*
- https://www.usaa.com/inet/ent_logon/Logon*
It attempts to steal information from the following banks and/or other financial institutions:
- Monsters
- Chase
- USAA
- Liberty Reserve
Other Details
This spyware connects to the following URL(s) to check for an Internet connection:
- www.microsoft.com
It does the following:
- For its information theft, it initially contacts the server by sending information using the following format:
http://{server-site}/dfg35/gate.php?guid={bot guid}&ver={bot version}&stat={bot status}&ie={IE version}&os={OS version}&ut={user type}&cpu={cpu load}&ccrc={crc of configuration file} - It does this using HTTP GET request. It then waits for the server to reply. As of writing, however, the server is inaccessible.
- The server may be any of the following:
http://{BLOCKED}rkets.ru
http://{BLOCKED}iquet.ru
http://{BLOCKED}uman.com - This spyware also sends its stolen information to said servers.
- It is capable of the following:
steal FTP accounts
steal POP3 accounts
steal certificates
capture screenshots
capture entered information in web forms
can perform webinjects in major browsers (eg. Internet Explorer, Firefox, etc.)
automate the transfer of money in credit cards using the IP location - After its injection to “explorer.exe”, it then injects itself to any processes except the following:
system
smss.exe
csrss.exe
cleansweep.exe - It also hooks the following APIs:
ADVAPI32.dll
CryptEncrypt
CRYPT32.dll
PFXImportCertStore
NETAPI32.dll
NetpwPathCanonicalize
USER32.dll
TranslateMessage
WININET.dll
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestW
InternetCloseHandle
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetWriteFile
WS2_32.dll
send
ntdll.dll
LdrLoadDll
NtEnumerateValueKey
NtQueryDirectoryFile
NtResumeThread
NtVdmControl - It can also perform the following: 1.) Update its binary and configuration file 2.) Disable Windows Defender by setting the status of the WDEnable function to off 3.) Disable ZBOT infection from the affected system by checking the following ZBOT mutexes: _AVIRA_ and __SYSTEM__
Variant Information
This spyware has the following MD5 hashes:
- 6e50e3f64a7de15a0b8ae1eac64c504c
It has the following SHA1 hashes:
- 12d0a3287dfa7fc44163c5263549eb7e97d3a46d
SOLUTION
8.900
7.612.04
11 Nov 2010
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Restart in Safe Mode
Step 3
Search and delete these folders
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- dfgfdxxxgf.exe = %System Root%\dfgfdxxxgf.exe\dfgfdxxxgf.exe
- dfgfdxxxgf.exe = %System Root%\dfgfdxxxgf.exe\dfgfdxxxgf.exe
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_EYEBOT.KV. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Scan your computer with your Trend Micro product to delete files detected as TSPY_EYEBOT.KV. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.