Threat behavior
Worm:Win32/EyeStye.A is a worm that modifies outgoing messages to facilitate spreading via email and social media updates.
Installation
In the wild, we have observed Worm:Win32/EyeStye.A being downloaded by other malware, such as
Trojan:Win32/EyeStye as the following file:
Spreads via…
Email and social media
Once loaded inside a browser, the worm generates a TinyURL which it adds to messages and social media updates sent via the following:
Payload
Captures sensitive data
Worm:Win32/EyeStye.A monitors visited webpages in order to steal sensitive data, such as passwords. In the wild, we have observed the worm trying to capture PayPal credentials.
Modifies outgoing messages
The worm modifies outgoing messages to webmail and social networking websites, and messages from Windows Live Messenger by appending a TinyURL that points to malware, in order to facilitate spreading.
Analysis by Matt McCormack
Prevention