Troj/Spyeye-R

Category: Viruses and SpywareProtection available since:01 Feb 2011 00:53:00 (GMT)
Type: TrojanLast Updated:01 Feb 2011 00:53:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Spyeye-R is a Trojan for the Windows platform.

 

The Trojan has the functionality to download and execute malicious code.

 

When run, the Trojan copies itself to <System>\svchost.exe and may trigger HIPS/ProcMod-004 runtime detection.

 

The Trojan will attempt to download code from interviewbuy.ru.

 

Downloaded files are detected as Mal/FakeAV-BW, Mal/Zbot-AV and Troj/Agent-QFO.

 

The Trojan may modify the following registry entry:

 

HKLM\SOFTWARE\Microsoft\DownloadManager

 

Instances of Troj/Spyeye-R have been received in the form of an email attachment.

 

The email may claim to be from courier companies, mentioning about undelivered parcels and containing an attachment in the form of a zip file.

 

The zip file is detected as Troj/BredoZp-BT and when unzipped, the content is detected as Troj/Spyeye-R.

 

Please refer to the following blog entry for more information:

 

http://nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out/

Examples of Troj/Spyeye-R include:

Example 1

File Information

Size
64K
SHA-1
615747ddd81cb08e8bc6b1af0f3a04eab1448059
MD5
265c9141115b99bd537d70ac0ce41734
CRC-32
fb3ad24b
File type
application/x-ms-dos-executable
First seen
2011-02-01

Example 2

File Information

Size
24K
SHA-1
b33e7f5dd5d12f4135934c313995340759d27f40
MD5
b0decc8d6c47fe76171882613ae0e869
CRC-32
ef5b13f4
File type
application/x-ms-dos-executable
First seen
2011-02-01

Other vendor detection

Kaspersky
Trojan.Win32.Oficla.edh
Trend
PAK_Generic.001

Runtime Analysis

Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://interviewbuy.ru/forum/document.doc
  • http://interviewbuy.ru/forum/load.php
DNS Requests
  • interviewbuy.ru

Example 3

File Information

Size
21K
SHA-1
2e87acb9ea411643b57d7988c854a15a0f209dc7
MD5
491e12f3ab50e21014df656f4140dcaf
CRC-32
f941b2ab
File type
application/zip
First seen
2011-02-01

Other vendor detection

Kaspersky
Trojan.Win32.Oficla.edh
Trend
PAK_Generic.001

Troj/Spyeye-R is a Trojan for the Windows platform.

The Trojan has the functionality to download and execute malicious code.

When run, the Trojan copies itself to <System>\svchost.exe and may trigger HIPS/ProcMod-004 runtime detection.

The Trojan will attempt to download code from interviewbuy.ru. Downloaded files are detected as Mal/FakeAV-BW, Mal/Zbot-AV and Troj/Agent-QFO.

The Trojan may modify the following registry entry:

HKLM\SOFTWARE\Microsoft\DownloadManager

Instances of Troj/Spyeye-R have been received in the form of an email attachment.

The email may claim to be from courier companies, mentioning about undelivered parcels and containing an attachment in the form of a zip file.

The zip file is detected as Troj/BredoZp-BT and when unzipped, the content is detected as Troj/Spyeye-R.

Please refer to the following blog entry for more information:

http://nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out/