Dropped by other malware, Spammed via email, Downloaded from the Internet, Downloaded by other malware
SPYEYE is a malware family notorious for stealing user information related to banking and finance websites. SPYEYE variants may be downloaded unknowingly by users when visiting malicious sites or dropped by other malware. They may also arrive through spam.
SPYEYE has rootkit capabilities, which enable them to hide processes and files from users. SPYEYE steals information by logging user keystrokes. Variants also perform web injection—inserting additional HTML forms—to get additional information. Stolen login credentials are used to initiate unauthorized transactions like online fund transfers. The stolen information may also be sold in the underground market.
When executed, SPYEYE malware connect to various sites to send and receive information.
SPYEYE has been utilized in many information theft attacks since its discovery. In 2011, a cybercriminal in Russia used SPYEYE to steal more than US$3.2 million dollars from various organizations in the United States.
Compromises system security, Connects to URLs/IPs, Downloads files, Logs keystrokes, Steals information
This spyware drops the following copies of itself into the affected system:
(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Recovery
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies\ System EnableLUA = "0"
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies\ System ConsentPromptBehaviorAdmin = "0"