Win32/Spy.Autoit.BY [Threat Name] go to Threat

Win32/Spy.Autoit.BY [Threat Variant Name]

Category trojan
Size 732223 B
Detection created Dec 09, 2015
Detection database version 12693
Aliases Trojan-Ransom.Win32.Foreign.mzsy (Kaspersky)
  Trojan:MSIL/BitcoinMiner.A (Microsoft)
  Trojan.Inject2.16432 (Dr.Web)
Short description

Win32/Spy.Autoit.BY is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.


When executed, the trojan copies itself into the following location:

  • %appdata%\­nJFKrvSGxB\­uArVzWJr.exe

The following files are dropped:

  • %temp%\­RarSFX%variable1%\­JBchppI.exe (45056 B, MSIL/Injector.OJN)
  • %temp%\­RARSFX%variable1%\­srVzWJrYnjUO.bin (503169 B)
  • %temp%\­%variable2%

A string with variable content is used instead of %variable1-2% .

The trojan creates the following file:

  • %startup%\­YDDYNXdLBf.lnk

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

The trojan creates copies of the following files (source, destination):

  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­Cvtres.exe, %appdata%\­Microsoft\­log\­securityscan.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
  • [HKEY_CURRENT_USER\­Software\­user]
    • "RunOnce" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "securityscan" = "%appdata%\­Microsoft\­log\­AutoUpdate.exe"

The trojan launches the following processes:

  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­Cvtres.exe

The trojan creates and runs a new thread with its own code within these running processes.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • VboxService.exe
  • VMwaretray.exe
  • vpc.exe
  • VBoxTray.exe
  • VBoxexe
  • VmWareTools.exe
  • VMwareService.exe

The trojan terminates itself if it detects any application with one of the following text in the window name:

  • Program Manager
Information stealing

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • logged keystrokes
  • screenshots
  • user name
  • computer name
  • external IP address of the network device
  • network adapter information
  • CPU information
  • memory status
  • BIOS version
  • installed antivirus software
  • default Internet browser
  • operating system version
  • language settings

The following programs are affected:

  • Google Chrome
  • Mozilla Firefox
  • Filezilla

The following services are affected:

  • No-IP

The collected information is stored in the following files:

  • %appdata%\­Microsoft\­log\­passwords.txt
  • %appdata%\­Microsoft\­log\­logs_%variable%.htm

A string with variable content is used instead of %variable% .

The trojan sends the information via e-mail. The SMTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.