Spy

How to remove “Win32:Spyeye-DW [Trj]”?

Malware Removal

The Win32:Spyeye-DW [Trj] is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Win32:Spyeye-DW [Trj] virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Expresses interest in specific running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Russian
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • Deletes its original binary from disk
  • Checks for the presence of known windows from debuggers and forensic tools
  • Likely virus infection of existing system binary
  • Checks the presence of disk drives in the registry, possibly for anti-virtualization
  • Creates a copy of itself

How to determine Win32:Spyeye-DW [Trj]?



File Info:

name: 820CDD4CFDD3520A7A03.mlw
path: /opt/CAPEv2/storage/binaries/21ecc016f6fffc0a349325b04944da8e6e134fd3fe2b20e7298d5c6a2b457e91
crc32: C8085207
md5: 820cdd4cfdd3520a7a03054c1da126e6
sha1: ee56e86e562066fd93f1d31a2bef7f49f9072ac7
sha256: 21ecc016f6fffc0a349325b04944da8e6e134fd3fe2b20e7298d5c6a2b457e91
sha512: 2282d72aeab6801e30d6d92d57be2267e306b87933823aa7555f97014a86f0e1e6022966ca84618e390a5061dfbbd95be0574931d1b6b570917935deca5d9537
ssdeep: 6144:xw8jVNiluXInbKqFCg2tMdfOJeHfey/YznAEXo:xwciluY2hjidcGdz0
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T10F141213BCE81D51FAF96E72B30A7A3A809869931970E4010EFF03C299F56AC6317759
sha3_384: eb52a6da678df37a00d93e0010c438e5ae2da64676d852c74b2aa114d47a188608a270f40bb5add19b5bc856ad3e9a7c
ep_bytes: 60be15b071008dbeeb5fceff57eb0b90
timestamp: 2004-05-07 22:28:05


Version Info:

CompanyName: Irjeqrae Tmafdqrt
FileDescription: Irjeqrae Jlsdvmoj Vkudbdtdb
FileVersion: 76, 115, 45, 29
InternalName: Irjeqrae
LegalCopyright: Copyright © Irjeqrae Tmafdqrt 2000-2006
OriginalFilename: Irjeqrae.exe
ProductName: Irjeqrae Jlsdvmoj Vkudbdtdb
ProductVersion: 119, 68, 126, 52
Translation: 0x0409 0x04e4

Win32:Spyeye-DW [Trj] also known as:

BkavW32.MosquitoQKM.Fam.Trojan
Elasticmalicious (high confidence)
CynetMalicious (score: 100)
FireEyeGeneric.mg.820cdd4cfdd3520a
CAT-QuickHealWorm.SlenfBot.Gen
ALYacGen:Heur.VIZ.2
CylanceUnsafe
VIPRETrojan.Win32.Kryptik.mcf (v)
SangforExploit.Win32.ShellCode.gen
K7AntiVirusTrojan ( f1000f011 )
AlibabaExploit:Win32/ShellCode.43273867
K7GWTrojan ( f1000f011 )
Cybereasonmalicious.cfdd35
VirITBackdoor.Win32.Bot.BCW
CyrenW32/Zbot.CN.gen!Eldorado
SymantecW32.Qakbot!gen5
ESET-NOD32a variant of Win32/Kryptik.LPD
APEXMalicious
Paloaltogeneric.ml
ClamAVWin.Trojan.Agent-548342
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Heur.VIZ.2
NANO-AntivirusTrojan.Win32.Bot.dcvqle
MicroWorld-eScanGen:Heur.VIZ.2
AvastWin32:Spyeye-DW [Trj]
TencentWin32.Trojan.Generic.Dwjc
Ad-AwareGen:Heur.VIZ.2
SophosMal/Generic-R + Mal/FakeAV-IU
ComodoMalware@#132iyay1en5me
DrWebBackDoor.IRC.Bot.750
ZillyaTrojan.Kryptik.Win32.104106
TrendMicroBKDR_QAKBOT.SMG
McAfee-GW-EditionW32/Pinkslipbot.gen.af
EmsisoftGen:Heur.VIZ.2 (B)
IkarusTrojan.Win32.Crypt
GDataGen:Heur.VIZ.2
JiangminWorm/Kolab.hac
WebrootW32.Worm.Gen
AviraTR/Crypt.EPACK.Gen2
Antiy-AVLTrojan/Generic.ASMalwS.3E395A
KingsoftWorm.Kolab.(kcloud)
ViRobotWorm.Win32.A.Net-Kolab.202752.M[UPX]
MicrosoftWorm:Win32/Slenfbot.gen!D
AhnLab-V3Trojan/Win32.Zbot.R3496
McAfeeW32/Pinkslipbot.gen.af
MAXmalware (ai score=100)
VBA32Trojan.Zeus.EA.0999
TrendMicro-HouseCallBKDR_QAKBOT.SMG
RisingTrojan.Kryptik!8.8 (CLOUD)
YandexTrojan.GenAsa!uZ2LKbecRJ8
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Malware.1895661.susgen
FortinetW32/Kryptik.NAS!tr
BitDefenderThetaGen:NN.ZexaF.34212.mmKfaKFFn6nc
AVGWin32:Spyeye-DW [Trj]
PandaBck/Qbot.AO
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Win32:Spyeye-DW [Trj]?

Win32:Spyeye-DW [Trj] removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment