Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/Spy.SpyEye.B

Aliases:	Trojan.Win32.Pincav.shd (Kaspersky), BackDoor-Spyeye (McAfee), Trojan.Spyeye (Symantec)
Type of infiltration:	Trojan
Size:	70144 B
Affected platforms:	Microsoft Windows
Signature database version:	4858 (20100211)

Short description

Win32/Spy.SpyEye.B is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The file is run-time compressed using UPX. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the %systemdrive%cleansweep.exe folder. using the following filename:

cleansweep.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"cleansweep.exe" = "%systemdrive%cleansweep.execleansweep.exe"

The trojan may create and run a new thread with its own program code within any running process.

Other information

The trojan hooks the following Windows APIs:

NtEnumerateValueKey (ntdll.dll)
NtQueryDirectoryFile (ntdll.dll)
NtVdmControl (ntdll.dll)
NtResumeThread (ntdll.dll)
LdrLoadDll (ntdll.dll)
TranslateMessage (user32.dll)

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
monitor network traffic
log keystrokes

The trojan can send the information to a remote machine.

The trojan creates the following files:

%systemdrive%cleansweep.execonfig.bin

Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.SpyEye.B

Short description

Installation

Other information