Win32/Spy.Shiz [Threat Name] go to Threat

Win32/Spy.Shiz.NCO [Threat Variant Name]

Category trojan
Size 315904 B
Aliases Hoax.Win32.ArchSMS.cftve (Kaspersky)
  Variant.Zusy.112424 (BitDefender)
Short description

Win32/Spy.Shiz.NCO is a trojan that steals passwords and other sensitive information. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IntelPowerAgent32" = "rundll32.exe shell32.dll, ShellExec_RunDLL %commonappdata%\­%variable1%.exe"

After the installation is complete, the trojan deletes the original executable file.

The trojan quits immediately if it is run within a debugger.

The trojan quits immediately if the executable filename is one of the following:

  • sample.exe

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • autoruns.exe
  • autorunsc.exe
  • dumpcap.exe
  • idag.exe
  • idaq.exe
  • procexp.exe
  • procmon.exe
  • VMUSrvc.exe
  • wireshark.exe

The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The following programs are terminated:

  • AutoIt.exe
  • perl.exe
  • pythonw.exe

The trojan creates and runs a new thread with its own program code in all running processes.

By adding an exception in SharedAccess settings, the trojan ensures that it is not blocked.

The trojan may create the following files:

  • %temp%\­%variable2%.tmp (604 B)

A string with variable content is used instead of %variable1-2% .

The trojan may execute the following commands:

  • %windir%\­system32\­sdbinst.exe
  • %windir%\­system32\­sdbinst.exe "%temp%\­%variable2%.tmp" -q
  • %windir%\­system32\­sndvol.exe /c start "%malwarefilepath%" -d
  • %system%\­cmd.exe /c "%windir%\­SysWOW64\­SysSndVol.exe /c" start "%malwarefilepath%" -d
  • %windir%\­system32\­sdbinst.exe "%temp%\­%variable2%.tmp" -u
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • operating system version
  • list of running processes
  • installed antivirus software
  • screenshots
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • digital certificates
  • Bitcoin wallet contents
  • URLs visited
  • data from the clipboard

The trojan collects sensitive information when the user browses certain web sites.

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan checks for Internet connectivity by trying to connect to the following servers:


The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete cookies
  • make operating system unbootable
  • modify the content of websites
  • redirect network traffic

The trojan hooks the following Windows APIs:

  • CPExportKey (rsaenh.dll)
  • CreateDialogParamW (user32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • CryptEncrypt (advapi32.dll)
  • getaddrinfo (ws2_32.dll)
  • GetClipboardData (user32.dll)
  • gethostbyname (ws2_32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • I_CryptUIProtect (cryptui.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetSetStatusCallbackA (wininet.dll)
  • InternetSetStatusCallbackW (wininet.dll)
  • LoadLibraryExW (kernel.dll)
  • PFXImportCertStore (crypt32.dll)
  • PR_Close (nss3.dll)
  • PR_Connect (nss3.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • SendInput (user32.dll)
  • SSL_write (ssleay32.dll)
  • TlsGetValue (kernel32.dll)
  • TranslateMessage (user32.dll)
  • URLDownloadToCacheFileW (urlmon.dll)
  • URLDownloadToFileW (urlmon.dll)
  • WSARecv (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • ZwQueryInformationProcess (ntdll.dll)
  • ZwQuerySystemInformation (ntdll.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.