TSPY_SPYEYE.BEK

This spyware injects a remote thread to all running processes except certain processes. It sends certain system information to its C&C server. It hooks APIs to aid in its malicious routines. It is capable of performing certain routines. It may perform webinjects, take screenshots and steal user information such as user names and passwords when the user visits certain sites for banks and/or financial institutions.

This spyware may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Arrival Details

This spyware may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This spyware drops the following component file(s):

• %System Root%\Widzh31.bak\EB26C824d34090d

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• %System Root%\Widzh31.bak\F12D0484EAD.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\Widzh31.bak

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
4W1J9G6ZZG9IYH6UXYXDDPNPSWRELPI = %System Root%\Widzh31.bak\F12D0484EAD.exe /q

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = 0

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
ShownServiceDownBalloon = 0

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
ClearBrowsingHistoryOnExit = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnIntranet = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = 0

Backdoor Routine

This spyware connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}3.{BLOCKED}6.9.45
• {BLOCKED}dfilzz.com
• http://{BLOCKED}checkker.net/ASdhgas6d/sdhgas/yrgdate13.php
• http://{BLOCKED}morion.ru/includes/route.php
• http://{BLOCKED}ro.gmb.pl/UNIPARTS/gdb1115/P1021029.php

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

NOTES:

It injects a remote thread to all running processes except the following:

• F12D0484EAD.exe
• csrss.exe
• services.exe
• smss.exe
• System

It sends the following system information to its C&C server:

• Account type
• Internet Explorer (IE) version
• Language ID
• Local time
• OS Information
• Tick time
• Timezone
• Volume information

It sends the following system information to its C&C server:

• Bot GUID
• Bot hash
• Bot Status (online/offline)
• Bot version
• Function data
• Hooked function
• Plug-in
• Process name
• Status of executed commands

It hooks the following APIs to aid in its malicious routines:

advapi32.dll:

• CryptEncrypt

crypt32.dll:

• PFXImportCertStore

user32.dll:

• TranslateMessage

wininet.dll:

• HttpAddRequestHeadersA
• HttpOpenRequestA
• HttpQueryInfoA
• HttpSendRequestA
• HttpSendRequestW
• InternetCloseHandle
• InternetQueryDataAvailable
• InternetQueryOptionA
• InternetReadFileExA
• InternetReadFile
• InternetWriteFile

ws2_32.dll:

• send

ntdll.dll:

• NtClose
• NtEnumerateValueKey
• NtQueryDirectoryFile
• NtResumeThread
• NtSetInformationFile
• NtVdmControl

It is capable of performing the following routines:

• Capture screenshots
• Harvest email addresses
• Open a remote desktop connection
• Open a reverse connections through a proxy server
• Open a reverse FTP connection
• Perform forms grabbing and webinjects on the following browsers: Internet Explorer, Firefox, Opera, Chrome
• Steal certificates
• Steal FTP accounts
• Steal POP3 accounts
• Update configuration file
• Update itself

It may perform webinjects, take screenshots and steal user information such as user names and passwords when the user visits any of the following banks and/or financial institutions:

• *credit-agricole.fr/stb/entreeBam*
• *www.secure.bnpparibas.net/banque/portail/*/HomeConnexion*
• *entreprises.bnpparibas.net/NSAccess*
• *www.caisse-epargne.fr/pauth.aspx*