Encyclopedia entry
Updated:
Jun 16, 2011
| Published:
Mar 04, 2010
Aliases
Win-Trojan/Remhead.70144
(AhnLab)
-
Trojan.PWS.SpySweep
(Dr.Web)
-
Trojan.Win32.Pincav.qzf
(Kaspersky)
-
Mal/Spyeye-A
(Sophos)
-
Trojan.SpyEYE
(Symantec)
Alert Level
(?)
Severe
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection last updated:
Definition: 1.97.544.0
Released: Jan 28, 2011
|
|
Detection initially created:
Definition: 1.77.388.0
Released: Mar 05, 2010
|
Summary
TrojanDropper:Win32/EyeStye is a trojan that drops and installs
Trojan:Win32/EyeStye, a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/EyeSyte sends captured data to a remote attacker, may download updates of the components and has a rootkit component to hides it malicious activity.
Symptoms
Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptom(s).
Technical Information (Analysis)
TrojanDropper:Win32/EyeStye is a trojan that drops and installs
Trojan:Win32/EyeStye, a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/EyeStye sends captured data to a remote attacker, may download updates of the components and has a rootkit component to hides it malicious activity.
Installation
When run, this trojan creates a mutex “__CLEANSWEEP__” to ensure only one instance of the trojan dropper executes. The trojan injects malicious code into running processes such as "explorer.exe" and avoids injecting code into the following system processes:
-
system
-
smss.exe
-
csrss.exe
-
The trojan dropper creates the following files:
%SystemDrive%\cleansweep.exe\cleansweep.exe - Trojan:Win32/EyeStye
%SystemDrive%\cleansweep.exe\config.bin - configuration file in ZIP archive format
TrojanDropper:Win32/EyeStye executes Trojan:Win32/EyeStye.
Additional Information
Analysis by Rodel Finones
Prevention
Recovery
