Win32/Spy.Shiz [Threat Name] go to Threat

Win32/Spy.Shiz.NCM [Threat Variant Name]

Category trojan
Size 317480 B
Detection created Oct 16, 2013
Detection database version 8924
Aliases Trojan-Spy.Win32.Agent.cjgt (Kaspersky)
  TrojanSpy:Win32/Gamker.A (Microsoft)
  Infostealer.Shiz (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan collects sensitive information when the user browses certain web sites.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­%variable1%.tmp (317480 B)
  • %commonappdata%\­%variable2%.exe (317480 B)

The trojan may create the following files:

  • %temp%\­cryptbase.dll
  • %windir%\­Tasks\­nVidiaBootAgent32.job

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%originalvalue%, %commonappdata%\­%variable2%.exe"

A string with variable content is used instead of %variable1-2% .


The trojan creates and runs a new thread with its own program code in all running processes.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • idaq.exe
  • multi_pot.exe
  • HookExplorer.exe
  • proc_analyzer.exe
  • sckTool.exe
  • sniff_hit.exe
  • sysAnalyzer.exe
  • idag.exe
  • PETools.exe
  • ImportREC.exe
  • ollydbg.exe
  • dumpcap.exe
  • wireshark.exe
  • xenservice.exe
  • vboxtray.exe
  • vboxservice.exe
  • vmsrvc.exe
  • vmusrvc.exe
  • vmwaretray.exe
  • vmwareuser.exe
Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The trojan is able to log keystrokes.


The trojan collects the following information:

  • computer name
  • login user names for certain applications/services
  • screenshots
  • data from the clipboard

The collected information is stored in the following files:

  • %appdata%\­%variable3%\­cmdline.txt
  • %appdata%\­%variable3%\­keylog.txt
  • %appdata%\­%variable3%\­scrs\­%number%.jpg

A string with variable content is used instead of %variable3%, %number% .


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • log keystrokes
  • send gathered information
  • set up a proxy server

The trojan hooks the following Windows APIs:

  • CryptEncrypt (advapi32.dll)
  • Beep (kernel32.dll)
  • CreateFileW (kernel32.dll)
  • AddSigner (mespro.dll)
  • PR_Close (nspr4.dll)
  • PR_Connect (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • ZwQueryInformationProcess (ntdll.dll)
  • SSL_write (ssleay32.dll)
  • URLDownloadToCacheFileW (urlmon.dll)
  • URLDownloadToFileW (urlmon.dll)
  • CallWindowProcA (user32.dll)
  • CallWindowProcW (user32.dll)
  • CloseClipboard (user32.dll)
  • CountClipboardFormats (user32.dll)
  • CreateDialogParamW (user32.dll)
  • DefDlgProcA (user32.dll)
  • DefDlgProcW (user32.dll)
  • DefFrameProcA (user32.dll)
  • DefFrameProcW (user32.dll)
  • DefMDIChildProcA (user32.dll)
  • DefMDIChildProcW (user32.dll)
  • DefWindowProcA (user32.dll)
  • DefWindowProcW (user32.dll)
  • EmptyClipboard (user32.dll)
  • FlashWindow (user32.dll)
  • FlashWindowEx (user32.dll)
  • GetCapture (user32.dll)
  • GetCaretBlinkTime (user32.dll)
  • GetClipboardData (user32.dll)
  • GetCursorPos (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessagePos (user32.dll)
  • GetMessageW (user32.dll)
  • GetPriorityClipboardFormat (user32.dll)
  • GetUpdatedClipboardFormats (user32.dll)
  • GetWindowTextA (user32.dll)
  • IsClipboardFormatAvailable (user32.dll)
  • MessageBeep (user32.dll)
  • OpenClipboard (user32.dll)
  • OpenDesktopA (user32.dll)
  • OpenDesktopW (user32.dll)
  • OpenInputDesktop (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • ReleaseCapture (user32.dll)
  • SendInput (user32.dll)
  • SetCapture (user32.dll)
  • SetClipboardData (user32.dll)
  • SetCursorPos (user32.dll)
  • SetDIBitsToDevice (gdi32.dll)
  • SwitchDesktop (user32.dll)
  • TrackPopupMenuEx (user32.dll)
  • TranslateMessage (user32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • PlaySoundA (winmm.dll)
  • PlaySoundW (winmm.dll)
  • sndPlaySoundA (winmm.dll)
  • sndPlaySoundW (winmm.dll)
  • waveOutOpen (winmm.dll)
  • waveOutWrite (winmm.dll)
  • getaddrinfo (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Microsoft\­Cryptography]
    • "%variable4%" = "%data%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Keyboard]
    • "%variable4%" = "%data%"

A string with variable content is used instead of %variable4% .


The trojan may attempt to delete all files on the local drives.


The trojan may cause the operating system to crash.

Please enable Javascript to ensure correct displaying of this content and refresh this page.