PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Spammed via email, Downloaded from the Internet, Downloaded by other malware

SPYEYE is a malware family notorious for stealing user information related to banking and finance websites. SPYEYE variants may be downloaded unknowingly by users when visiting malicious sites or dropped by other malware. They may also arrive through spam.

SPYEYE has rootkit capabilities, which enable them to hide processes and files from users. SPYEYE steals information by logging user keystrokes. Variants also perform web injection—inserting additional HTML forms—to get additional information. Stolen login credentials are used to initiate unauthorized transactions like online fund transfers. The stolen information may also be sold in the underground market.

When executed, SPYEYE malware connect to various sites to send and receive information.

SPYEYE has been utilized in many information theft attacks since its discovery. In 2011, a cybercriminal in Russia used SPYEYE to steal more than US$3.2 million dollars from various organizations in the United States.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Connects to URLs/IPs, Downloads files, Logs keystrokes, Steals information

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Windows%\AvProtector.exe
  • %Windows%\rundlll.exe
  • %Windows%\scvhost.exe
  • %Windows%\win32Runtime.exe
  • %System Root%\trivax1.Bin\trivax1.Bin.exe
  • %System Root%\usxxxxxxxx\usxxxxxxxx.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\trivax1.Bin
  • %System Root%\usxxxxxxxx

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
win32Runtime = "%Windows%\win32Runtime.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewal = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\ DomainProfile
DoNotAllowExceptions = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
ShownServiceDownBalloon = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
ClearBrowsingHistoryOnExit = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnIntranet = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\0
1409 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1409 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
1409 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1409 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
1409 = "3"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is 1.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}e.net/banners/testing.exe
  • http://{BLOCKED}ion-crew.biz/asdfg/gate.php
  • http://{BLOCKED}x.com/user/gate.php
  • http://{BLOCKED}giftstore.com/icard/gate.php
  • http://{BLOCKED}stat.org/stats/gate.php
  • http://{BLOCKED}bit.org/upload/gate.php
  • http://{BLOCKED}4.{BLOCKED}5.228.147/~main/us1/gate.php
  • http://{BLOCKED}8.{BLOCKED}9.96.95/us1/gate.php
  • http://{BLOCKED}8.{BLOCKED}9.99.250/us1/gate.php
  • http://{BLOCKED}checker007.ru/us10/gate.php
  • http://{BLOCKED}8.{BLOCKED}9.99.250/us1/gate.php