Trojan:Win32/EyeStye.T is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/EyeStye.T copies itself to <system folder>\drivers.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "drivers.exe"
With data: "c:\windows\system32\drivers.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: StubPath
With data: "c:\windows\system32\drivers.exe"
To subkey: hklm\software\microsoft\active setup\installed components\{1dce898d-d065-13b8-8b4e-ae1fd6c9bb42}
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/EyeStye.T executes, it may inject code into running processes, including the following, for example:
Payload
Modifies browser settings
Trojan:Win32/EyeStye.T locks the Internet Explorer toolbar by making the following registry modification:
Adds value:
"Locked" With data:
"1"To subkey:
HKCU\Software\Microsoft\Internet Explorer\Toolbar
Contacts remote host
The malware may contact a remote host at prueba-1986.no-ip.biz using port 80. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 14206bf844b18312bf6311e8660c68128e02e0ec.
