TSPY_SPYEKS.C
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following copies of itself into the affected system and executes them:
- %Program Files%\archivos.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SpyEx = "{malware path and filename}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SpyEx = "%Program Files%\archivos.exe"
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus\Registered
startup = "1"
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus\Registered
started = "True"
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Morpheus\Registered