Trojan.Win32.EyeStye_b685c1f760

by malwarelabrobot on July 23rd, 2013 in Malware Descriptions.

Trojan.Win32.Jorik.SpyEyes.bcc (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Spyeye!IK (Emsisoft), Trojan.Win32.EyeStye.FD, TrojanEyeStye.YR, SpyEye.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: b685c1f7609b46681f88d61faebdb5d3
SHA1: 259026b341f418727c73cbadbd55da51e2df59d4
SHA256: bc7da0087eeb8e1a7c81df1ac4a227c66a00b1ab4b5aadc33ad605105b4df8bd
SSDeep: 3072:uqYBoGRmJNGQAynjIWX9aEyDq6VJC5SgR9llIdh1QRFz3eQa:uqYL6dnJXOW6 3Wdh13
Size: 200704 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC; Armadillov171; MicrosoftVisualCv50v60MFC; MicrosoftVisualC50; UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-11 17:06:24


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

9YIMCEYYUc4.exe:536
b685c1f7609b46681f88d61faebdb5d3.exe:524
B6232F3A456.exe:1256
B6232F3A456.exe:536
B6232F3A456.exe:168
B6232F3A456.exe:2004

File activity

The process B6232F3A456.exe:2004 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

C:\Recycle.Bin\479DB46D1258962 (5 bytes)

Registry activity

The process 9YIMCEYYUc4.exe:536 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 AD D9 20 71 DC F7 E1 94 C8 00 B9 F1 E1 63 2D"

The process b685c1f7609b46681f88d61faebdb5d3.exe:524 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C DE 25 12 CB 6D 2D 67 05 A5 92 A9 E4 F4 8F C8"

The process B6232F3A456.exe:1256 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 10 4A 26 5B 3A 47 87 BD BC 3F 3D 92 0B 7B 59"

The process B6232F3A456.exe:536 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 95 D0 D3 E1 B6 D5 84 5E 70 F2 56 0B 46 24 DB"

The process B6232F3A456.exe:168 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 99 18 3E FD A6 E0 03 52 4E 54 19 9A 67 42 03"

The process B6232F3A456.exe:2004 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 63 1B 53 BF 0E DC 04 D8 25 05 64 6F 2E 93 C9"

Network activity (URLs)

URL IP
hxxp://37.1.195.31/_cp/gate.php


Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpAddRequestHeadersA
HttpOpenRequestA
InternetQueryOptionA

The Trojan installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

send

The Trojan installs the following user-mode hooks in ntdll.dll:

NtVdmControl
ZwSetInformationFile
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    9YIMCEYYUc4.exe:536
    b685c1f7609b46681f88d61faebdb5d3.exe:524
    B6232F3A456.exe:1256
    B6232F3A456.exe:536
    B6232F3A456.exe:168
    B6232F3A456.exe:2004

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Recycle.Bin\479DB46D1258962 (5 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.