Win32/Spy.Shiz [Threat Name] go to Threat

Win32/Spy.Shiz.NCP [Threat Variant Name]

Category trojan
Size 195072 B
Aliases Trojan:Win32/Beaugrit.gen!AAA (Microsoft)
Short description

Win32/Spy.Shiz.NCP is a trojan that steals passwords and other sensitive information. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IntelPowerAgent32" = "rundll32.exe shell32.dll, ShellExec_RunDLL %commonappdata%\­%variable1%.exe"

After the installation is complete, the trojan deletes the original executable file.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows]
    • "%variable2%" = %binaryvalue%

The trojan quits immediately if it is run within a debugger.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if the executable filename is one of the following:

  • malware.exe
  • sample.exe
  • test.exe

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • apispy.exe
  • autoruns.exe
  • autorunsc.exe
  • dumpcap.exe
  • emul.exe
  • fortitracer.exe
  • hookanaapp.exe
  • hookexplorer.exe
  • idag.exe
  • idaq.exe
  • importrec.exe
  • imul.exe
  • joeboxcontrol.exe
  • joeboxserver.exe
  • multi_pot.exe
  • ollydbg.exe
  • peid.exe
  • petools.exe
  • proc_analyzer.exe
  • procexp.exe
  • procmon.exe
  • regmon.exe
  • scktool.exe
  • sniff_hit.exe
  • sysanalyzer.exe
  • vboxservice.exe
  • vboxtray.exe
  • vmsrvc.exe
  • vmtoolsd.exe
  • vmusrvc.exe
  • vmwaretray.exe
  • vmwareuser.exe
  • wireshark.exe
  • xenservice.exe

The trojan quits immediately if any of the following applications is detected:

  • Sandboxie

The following programs are terminated:

  • python.exe
  • pythonw.exe
  • perl.exe
  • autoit3.exe

The trojan creates and runs a new thread with its own program code in all running processes.


By adding an exception in SharedAccess settings, the trojan ensures that it is not blocked.


The trojan may create the following files:

  • %appdata%\­%variable3%
  • %appdata%\­%variable4%
  • %localsettings%\­Application Data\­Temp\­Low\­%variable5%\­cmdline.txt
  • %localsettings%\­Application Data\­Temp\­Low\­%variable5%\­keylog.txt
  • %localsettings%\­Application Data\­Temp\­Low\­%variable5%\­vkeys\­%variable6%.jpg
  • %temp%\­%variable7%.tmp (604 B)
  • %temp%\­%variable8%.bat
  • %temp%\­%variable9%.dat
  • %temp%\­%variable10%.tmp

The trojan may execute the following commands:

  • %windir%\­system32\­sdbinst.exe
  • %windir%\­system32\­sdbinst.exe "%temp%\­%variable7%.tmp" -q
  • %windir%\­system32\­sndvol.exe /c start "%malwarefilepath%" -d
  • %system%\­cmd.exe /c "%windir%\­SysWOW64\­SysSndVol.exe /c" start "%malwarefilepath%" -d
  • %windir%\­system32\­sdbinst.exe "%temp%\­%variable7%.tmp" -u

A string with variable content is used instead of %variable1-10% .

Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • operating system version
  • list of running processes
  • installed antivirus software
  • screenshots
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • digital certificates
  • Bitcoin wallet contents
  • URLs visited
  • data from the clipboard

The trojan collects sensitive information when the user browses certain web sites.


The trojan is able to log keystrokes.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • download.windowsupdate.com
  • vk.com
  • yandex.ru

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • delete cookies
  • make operating system unbootable
  • modify the content of websites
  • redirect network traffic

The trojan hooks the following Windows APIs:

  • CertGetCertificateChain (crypt32.dll)
  • CertVerifyCertificateChainPolicy (crypt32.dll)
  • CreateDialogParamW (user32.dll)
  • CreateFileW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • CryptEncrypt (advapi32.dll)
  • getaddrinfo (WS2_32.dll)
  • GetAddrInfoExW (WS2_32.dll)
  • GetClipboardData (user32.dll)
  • gethostbyname (WS2_32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • HttpSendRequestA (Wininet.dll)
  • HttpSendRequestExA (Wininet.dll)
  • HttpSendRequestExW (Wininet.dll)
  • HttpSendRequestW (Wininet.dll)
  • InternetCloseHandle (Wininet.dll)
  • InternetQueryDataAvailable (Wininet.dll)
  • InternetReadFile (Wininet.dll)
  • InternetReadFileExA (Wininet.dll)
  • InternetReadFileExW (Wininet.dll)
  • InternetSetStatusCallbackA (Wininet.dll)
  • InternetSetStatusCallbackW (Wininet.dll)
  • LoadLibraryExW (kernel32.dll)
  • PFXImportCertStore (crypt32.dll)
  • PR_Close (nspr4.dll,nss3.dll)
  • PR_Connect (nspr4.dll,nss3.dll)
  • PR_Read (nspr4.dll,nss3.dll)
  • PR_Write (nspr4.dll,nss3.dll)
  • send (WS2_32.dll)
  • SendInput (user32.dll)
  • SSL_AuthCertificateHook (nspr4.dll)
  • SSL_Write (ssleay32.dll)
  • TlsGetValue (kernel32.dll)
  • TranslateMessage (user32.dll)
  • URLDownloadToCacheFileW (urlmon.dll)
  • URLDownloadToFileW (urlmon.dll)
  • WSAsend (WS2_32.dll)
  • ZwQueryInformationProcess (ntdll.dll)
  • ZwQuerySystemInformation (ntdll.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.