Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Spy.SpyEyes.eic
Date discovered:10/01/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:294.912 Bytes
MD5 checksum:a17ee10abdaf0c5c34abb551dab340b5
VDF version:7.10.07.173
IVDF version:7.11.01.60 - Monday, January 10, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Spy.Win32.SpyEyes.eic
   •  F-Secure: Trojan-Spy.Win32.SpyEyes.eic
     Microsoft: Win32/EyeStye.H
   •  Eset: Win32/Spy.SpyEye.CA
     DrWeb: BackDoor.Spy.706


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops a file
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %drive%\portwexexe\portwexexe.exe



It deletes the initially executed copy of itself.



The following file is created:

%drive%\portwexexe\config.bin

 Registry One of the following values is added in order to run the process after reboot:

  HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
   • "portwexexe.exe"="%drive%\portwexexe\portwexexe.exe"



The following registry keys are added:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\0
   • "1409"=dword:00000003
   • "1609"=dword:00000000
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\1
   • "1409"=dword:00000003
   • "1609"=dword:00000000
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\2
   • "1409"=dword:00000003
   • "1609"=dword:00000000
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\3
   • "1409"=dword:00000003
   • "1609"=dword:00000000
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Zones\4
   • "1409"=dword:00000003
   • "1609"=dword:00000000
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\1
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\2
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\3
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   Lockdown_Zones\4
   • "1406"=dword:00000000

HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
   • "EnabledV8"=dword:00000000
   • "ShownServiceDownBalloon"=dword:00000000

[HKCU\Software\Microsoft\Internet Explorer\Recovery]
   • "ClearBrowsingHistoryOnExit"=dword:00000000

HKCU\Software\Microsoft\Internet Explorer\DBControl


The following registry key is changed:

Lower security settings from Internet Explorer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
   Old value:
   • "EnableHttp1_1"=%user defined settings%
   • "ProxyHttp1.1"=%user defined settings%
   • "WarnOnPost"=%user defined settings%
   • "WarnOnPostRedirect"=%user defined settings%
   • "WarnOnIntranet"=%user defined settings%
   • "GlobalUserOffline"=%user defined settings%
   New value:
   • "EnableHttp1_1"=dword:00000001
   • "ProxyHttp1.1"=dword:00000001
   • "WarnOnPost"=hex:00,00,00,00
   • "WarnOnPostRedirect"=dword:00000000
   • "WarnOnIntranet"=dword:00000000
   • "GlobalUserOffline"=dword:00000000

 Backdoor Contact server:
The following:
   • http://soundpong.com/ahjsda65sda/**********guid=%character string%&ver=%number%&stat=%character string%&ie=6.0.2900.2180&os=%number%&ut=%character string%&plg=%character string%&ccrc=%number%&md5=%character string%



Sends information about:
    • Computer name
     Current user
     Current malware status
     Username
     Information about the Windows operating system

 Injection It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://www.microsoft.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX


Encryption:
Encrypted - The virus code inside the file is encrypted.

Description inserted by Ana Maria Niculescu on Friday, February 25, 2011
Description updated by Ana Maria Niculescu on Thursday, March 3, 2011

Back . . . .