Win32/Spy.Bizzana [Threat Name] go to Threat

Win32/Spy.Bizzana.A [Threat Variant Name]

Category trojan
Size 389120 B
Detection created Mar 09, 2015
Detection database version 11292
Aliases Trojan.Win32.Agent.nesazb (Kaspersky)
  TR/Bizzana.A.15 (Avira)
Short description

Win32/Spy.Bizzana.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable%\­%variable%.exe
  • %commonappdata%\­%variable%\­%variable%.exe

The %variable% is one of the following strings:

  • hdaudio_driver
  • kernel module
  • ntdll
  • windows process
  • windows service
  • windowsNT

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%appdata%\­%variable%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%commonappdata%\­%variable%\­%variable%.exe"

After the installation is complete, the trojan deletes the original executable file.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • Internet Explorer
  • Google Chrome
  • Mozilla Firefox
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • modify the content of websites
  • send gathered information

The trojan may alter the contents of the clipboard.


The trojan hooks the following Windows APIs:

  • FreeLibrary (kernel32.dll)
  • HttpQueryInfoA (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • LoadLibraryA (kernel32.dll)
  • LoadLibraryExA (kernel32.dll)
  • LoadLibraryExW (kernel32.dll)
  • LoadLibraryW (kernel32.dll)
  • PR_Close (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.