Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.SpyEye.B

Aliases:Trojan.Win32.Pincav.shd (Kaspersky), BackDoor-Spyeye (McAfee), Trojan.Spyeye (Symantec) 
Type of infiltration:Trojan  
Size:70144 B 
Affected platforms:Microsoft Windows 
Signature database version:4858 (20100211) 

Short description

Win32/Spy.SpyEye.B is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the %systemdrive%cleansweep.exe folder. using the following filename:
  • cleansweep.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "cleansweep.exe" = "%systemdrive%cleansweep.execleansweep.exe"
The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan hooks the following Windows APIs:
  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtVdmControl (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • TranslateMessage (user32.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtVdmControl (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • LdrLoadDll (ntdll.dll)
  • TranslateMessage (user32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • send (ws2_32.dll)
  • CryptEncrypt (advapi32.dll)
The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • monitor network traffic
  • log keystrokes
The trojan can send the information to a remote machine.

The trojan creates the following files:
  • %systemdrive%cleansweep.execonfig.bin