Win32/Spy.Shiz [Threat Name] go to Threat

Win32/Spy.Shiz.NCT [Threat Variant Name]

Category trojan
Size 217602 B
Detection created Sep 18, 2015
Detection database version 12276
Aliases Infostealer.Limitail (Symantec)
  Trojan:Win32/Pariham.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %commonappdata%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IntelPowerAgent%variable2% = "rundll32.exe shell32.dll, ShellExec_RunDLL %commonappdata%\­%variable1%.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows]
    • "%variable3%" = %binvalue%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1406" = 0

A string with variable content is used instead of %variable1-3% .

Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • information about the operating system and system settings
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • list of running processes
  • installed antivirus software
  • logged keystrokes
  • screenshots
  • data from the clipboard
  • Bitcoin wallet contents
  • Litecoin wallet contents
  • digital certificates

The trojan collects sensitive information when the user browses certain web sites.

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan performs no action if any of the following applications is detected:

  • Avast Antivirus
  • Sandboxie

Trojan can detect presence of virtual environments and sandboxes.

Trojan can detect presence of debuggers and other analytical tools.

The trojan quits immediately if it is run within a debugger.

The trojan quits immediately if any of the following folders/files is detected:

  • c:\­sample\­pos.exe
  • \­\­.\­NPF_NdisWanIp
  • c:\­analysis\­sandboxstarter.exe
  • c:\­analysis
  • c:\­insidetm
  • c:\­windows\­system32\­drivers\­vmmouse.sys
  • c:\­windows\­system32\­drivers\­vmhgfs.sys
  • c:\­windows\­system32\­drivers\­vboxmouse.sys
  • c:\­iDEFENSE
  • c:\­popupkiller.exe
  • c:\­tools\­execute.exe

The trojan quits immediately if the computer name is one of the following:


The trojan quits immediately if the user name is one of the following:


The trojan may create and run a new thread with its own program code within any running process.

It uses techniques common for rootkits.

The trojan hooks the following Windows APIs:

  • _write (msvcr90.dll)
  • CertVerifyCertificateChainPolicyCertGetCertificateChain (crypt32.dll)
  • connect (ws_32.dll)
  • ConnectEx (mswsock.dll)
  • CPExportKey (rsaenh.dll)
  • getaddrinfo (ws_32.dll)
  • GetAddrInfoExW (ws_32.dll)
  • GetClipboardData (user32.dll)
  • gethostbyname (ws_32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • I_CryptUIProtect (cryptui.dll)
  • PFXImportCertStore (crypt32.dll)
  • send (ws2_32.dll)
  • SSL_AuthCertificateHook (nspr4.dll, nss3.dll)
  • TranslateMessage (user32.dll)
  • URLDownloadToCacheFileW (urlmon.dll)
  • UrlDownloadToFileW (urlmon.dll)
  • WSASend (ws2_32.dll)
  • zend_compile_file (php5ts.dll)
  • ZwQuerySystemInformation (ntdll.dll)

The trojan checks for Internet connectivity by trying to connect to the following addresses:


The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send gathered information
  • delete cookies
  • make operating system unbootable
  • redirect network traffic

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "DisableCurrentUserRun"

Please enable Javascript to ensure correct displaying of this content and refresh this page.