Follow:

 

Win32/EyeStye


Microsoft security software detects and removes this threat.

This family of trojans try to steal your sensitive data, such your website login details, and send it to a malicious hacker.

It can also download and run files, such as updates of its components. It might use a rootkit to hide what it is doing on your PC.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This malware can be installed by TrojanDropper:Win32/EyeStye. When run, the trojan creates one of the following mutex names to ensure only one instance of the malware runs:

  • __SPYNET__
  • __CLEANSWEEP__

Recent variants have also been observed creating mutexes with a configurable, variable name.

In the wild, we have observed the trojan dropping files in the folder in which it is run. It can create a hidden top-level folder, using the following format:

  • \<file name>\<file name>.exe

Where <file name> can be, but is not limited to, the following:

  • cleansweep.exe
  • windowseep.exe

For example, cleansweep\cleansweep.exe.

The registry is modified to run the malware at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Win32/EyeStye file name>" (for example "syscheckrt.exe")
With data: "<path and file name of Win32/EyeStye>" (for example "c:\syscheckrt\syscheckrt.exe")

or

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random key>"
With data: "<path and file name of Win32/EyeStye>" (for example "c:\syscheckrt\syscheckrt.exe")

The configuration data file can also contain various "plug-ins" that are utilized to make up the malware's payload. This can include, the following:

  • Backdoor functionality (either through RDP or a Socks5 proxy) leting a hacker to access and control your PC
  • Jabber notification to the malware author of new infections
  • Specific connections to use for transmission of stolen information to a hacker
  • The ability to grab certificates from Firefox
  • FTP functionality

The configuration file can contain the following files:

  • config.dat
  • screenshots.txt
  • dns.txt
  • <plug-in>.dll
  • <plug-in>.cfg

Win32/EyeStye injects its payload into all currently running processes, while avoiding the following processes:

  • smss.exe
  • csrss.exe
  • services.exe
  • System
  • <Win32/EyeStye process>
Payload

Lowers browser security zone settings

The malware changes registry data that lowers browser security for Internet Explorer:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "EnableHttp1_1"
With data: "1"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1409"
With data: "3"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
Sets value: "1406"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
Sets value: "1406"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
Sets value: "1406"
With data: "0"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
Sets value: "1406"
With data: "0"

In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: "EnabledV8"
With data: "0"

In subkey: HKCU\Software\Microsoft\Internet Explorer\Recovery
Sets value: "ClearBrowsingHistoryOnExit"
With data: "0"

Changes Mozilla Firefox settings

The malware changes the following settings for the web browser Mozilla Firefox:
  • Disables safe browsing
  • Disables malware blacklist check for downloads
  • Disables alerts
  • Disables clearing cookies and sessions

Uses stealth

Win32/EyeStye hooks the following APIs to prevent affected users from seeing malware files or system modifications with Windows Explorer, within a command prompt, or within the registry:

  • NtEnumerateValueKey
  • ZwEnumerateValueKey
  • NtQueryfolderFile
  • ZwQueryfolderFile
  • NtVdmControl
  • ZwVdmControl

Exports imported certificates

The malware hooks the crypt32.dll API PFXImportCertStore to make all imported certificates exportable.
 
Steals sensitive information

Win32/EyeStye hooks the following Windows APIs to steal authentication information and alter web content presented to the user:

  • HttpAddRequestHeadersA
  • HttpOpenRequestA
  • HttpSendRequestW
  • HttpQueryInfoA
  • InternetQueryDataAvailable
  • InternetReadFile
  • InternetReadFileExA
  • InternetCloseHandle
  • InternetQueryOptionA
  • InternetWriteFile

The following Firefox APIs are also hooked for the same purpose:

  • PR_Read
  • PR_Write
  • PR_Close
  • PR_OpenTCPSocket
  • PR_GetSocketOption
  • PR_SetSocketOption
  • PR_GetError
  • PR_SetError

It hooks the following APIs to take screenshots of the affected PC:

  • GdipSaveImageToStream
  • GdipSaveImageToFile
  • GdipCreateBitmapFromHBITMAP
  • GdiplusShutdown
  • GdiplusStartup

Bypasses SSL

Win32/EyeStye hooks the API CryptEncrypt to intercept SSL traffic. If the security program Trusteer Rapport is running, the malware returns an error NTE_NO_MEMORY so that plain authentication is used.

Sends captured data to a remote server

The trojan tries to send captured data via HTTP post to a remote server. In the wild, we have observed this trojan connecting to the following remote servers:

  • microsoft-windows-security.com (not a Microsoft.com domain)
  • vinodelam.net
  • overclock.osa.pl
  • qualitaetvorun.org
  • svetodioduk.net
  • rtjhteyjtyjtyj.orge.pl
  • airiston.net
  • superboy999.ru
  • vertime.ru
  • bettasbreed.co.cc
  • nusofttechnologies.info
  • svetodioduk2.com
  • fieldsoflove.cc
  • fightforce.cc
  • totalhidden.cc
  • feldmar.ru
  • lyambosok.ru
  • picomarkets.ru
  • primedyl.com
  • domain391.org
  • securegateonline.com
  • reg.kygalu.ru
  • domain191.org
  • black-hosting.ru
  • hfhfhfhfee.com

It has been observed contacting the following remote server:

traxbax.<removed>/user/gate<removed>

While sending captured data, it can include the following additional information:

  • "Bot GUID" - unique identifier associated with the trojan
  • User name
  • PC name
  • Volume serial number
  • Process name associated with captured data
  • Name of hooked API function (for example PR_Write)
  • Captured raw data
  • Keys, logged keystrokes
  • Other information specific to PC locale like:
  • Local time
  • Time zone
  • Operating system version
  • Language

Analysis by Jaime Wong


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    cleansweep.exe
    windowseep.exe
    collectors.txt
    webinjects.txt

  • You see these entries or keys in your registry:

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    Sets value: "EnableHttp1_1"
    With data: "1"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    Sets value: "1409"
    With data: "3"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    Sets value: "1409"
    With data: "3"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    Sets value: "1409"
    With data: "3"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "1409"
    With data: "3"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    Sets value: "1409"
    With data: "3"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
    Sets value: "1406"
    With data: "0"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
    Sets value: "1406"
    With data: "0"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
    Sets value: "1406"
    With data: "0"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
    Sets value: "1406"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
    Sets value: "EnabledV8"
    With data: "0"

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Recovery
    Sets value: "ClearBrowsingHistoryOnExit"
    With data: "0"


Prevention


Alert level: Severe
This entry was first published on: Mar 04, 2010
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • SpyEye (other)
  • EyeSpy (other)