SpyEye.CA_4 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. File Related Changes It drops the following file(s) on the system: - "c:\windr32.bin\windr32.bin.exe"
Process Related Changes It creates the following mutex(es): - "3fOhWgKsGUcLlGmWYIGqGcAsGExYl"
- "IESQMMUTEX_0_208"
- "DBWinMutex"
- "8392windr291934"
It creates the following process(es): - C:\Windows\system32\rundll32.exe
- C:\windr32.bin\windr32.bin.exe
It injects malicious code into the following process(es): - "C:\Windows\system32\UI0Detect.exe"
- "C:\Windows\system32\nfsclnt.exe"
- "C:\Windows\system32\psxss.exe"
- "C:\Windows\System32\tcpsvcs.exe"
- "C:\Windows\system32\SearchFilterHost.exe"
- "c:\windows\system32\tlntsrv.exe"
- "C:\Windows\system32\wininit.exe"
- "C:\Windows\system32\SearchProtocolHost.exe"
- "C:\Windows\System32\spoolsv.exe"
- "C:\Windows\system32\taskhost.exe"
- "C:\Windows\system32\lsass.exe"
- "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
- "C:\Windows\system32\Dwm.exe"
- "C:\Windows\system32\SearchIndexer.exe"
- "C:\Windows\system32\inetsrv\inetinfo.exe"
- "C:\Windows\system32\lsm.exe"
Network Activity It attempts to connect to the following remote servers: - 193.106xxxxxx:80
- 217.2xxxxxx:53
- lb1.www.ms.akadns.net:80 (64.4.xxxxxx)
We observed the following DNS query/queries: Registry Related Changes It makes the following registry modifications to ensure infection after system reboot: - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windr32.bin.exe = C:\windr32.bin\windr32.bin.exe
|